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Summary 

Cybersecurity  vulnerabilities  challenge  governments,  businesses,  and  individuals  worldwide. 
Attacks  have  been  initiated  by  individuals,  as  well  as  countries.  Targets  have  included 
government  networks,  military  defenses,  companies,  or  political  organizations,  depending  upon 
whether  the  attacker  was  seeking  military  intelligence,  conducting  diplomatic  or  industrial 
espionage,  or  intimidating  political  activists.  In  addition,  national  borders  mean  little  or  nothing  to 
cyberattackers,  and  attributing  an  attack  to  a specific  location  can  be  difficult,  which  also  makes  a 
response  problematic. 

Congress  has  been  actively  involved  in  cybersecurity  issues,  holding  hearings  every  year  since 
2001.  There  is  no  shortage  of  data  on  this  topic:  government  agencies,  academic  institutions, 
think  tanks,  security  consultants,  and  trade  associations  have  issued  hundreds  of  reports,  studies, 
analyses,  and  statistics. 

This  report  provides  links  to  selected  authoritative  resources  related  to  cybersecurity  issues.  This 
report  includes  information  on 

• “Legislation” 

• “Hearings  in  the  1 12th  Congress” 

• “Executive  Orders  and  Presidential  Directives” 

• “Data  and  Statistics” 

• “Cybersecurity  Glossaries” 

• “Reports  by  Topic” 

• Government  Accountability  Office  (GAO)  reports 

• White  House/Office  of  Management  and  Budget  reports 

• Military/DoD 

• Cloud  Computing 

• Critical  Infrastructure 

• National  Strategy  for  Trusted  Identities  in  Cyberspace  (NSTIC) 

• Cybercrime/Cyberwar 

• International 

• Education/Training/Workforce 

• Research  and  Development  (R&D) 

• “Related  Resources:  Other  Websites” 

The  report  will  be  updated  as  needed. 
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Introduction 

Cybersecurity  is  a sprawling  topic  that  includes  national,  international,  government,  and  private 
industry  dimensions.  More  than  40  bills  and  resolutions  with  provisions  related  to  cybersecurity 
have  been  introduced  in  the  first  session  of  the  1 12th  Congress,  including  several  proposing 
revisions  to  current  laws.  In  the  1 1 1th  Congress,  the  total  was  more  than  60.  Several  of  those  bills 
received  committee  or  floor  action,  but  none  have  become  law.  In  fact,  no  comprehensive 
cybersecurity  legislation  has  been  enacted  since  2002. 

This  report  provides  links  to  cybersecurity  hearings  and  legislation  under  consideration  in  the 
1 12th  Congress,  as  well  as  executive  orders  and  presidential  directives,  data  and  statistics, 
glossaries,  and  authoritative  reports. 

For  CRS  analysis,  please  see  the  collection  of  CRS  reports  found  on  the  Issues  in  Focus: 
Cybersecurity  site. 


Legislation 

No  major  legislative  provisions  relating  to  cybersecurity  have  been  enacted  since  2002,  despite 
many  recommendations  made  over  the  past  decade.  The  Obama  Administration  sent  Congress  a 
package  of  legislative  proposals  in  May  201 11  to  give  the  federal  government  new  authority  to 
ensure  that  corporations  that  own  the  assets  most  critical  to  the  nation’s  security  and  economic 
prosperity  are  adequately  addressing  the  risks  posed  by  cybersecurity  threats. 

Cybersecurity  legislation  is  advancing  in  both  chambers  in  the  1 12th  Congress.  The  House 
introduced  a series  of  bills  that  address  a variety  of  issues — from  toughening  law  enforcement  of 
cybercrimes  to  giving  the  Department  of  Homeland  Security  oversight  of  federal  information 
technology  and  critical  infrastructure  security  to  lessening  liability  for  private  companies  that 
adopt  cybersecurity  best  practices.  The  Senate  is  pursuing  a comprehensive  cybersecurity  bill 
with  several  committees  working  to  create  a single  vehicle  for  passage. 

Table  1 and  Table  2 provide  lists  of  major  Senate  and  House  legislation  under  current 
consideration  in  the  1 12th  Congress,  in  order  by  date  introduced.  When  viewed  in  HTML,  the  bill 
numbers  are  active  links  to  the  Bill  Summary  and  Status  page  in  the  Legislative  Information 
Service  (LIS).  The  tables  includes  bills  with  committee  action,  floor  action,  or  significant 
legislative  interest. 


1 White  House,  International  Strategy  for  Cyberspace:  Prosperity,  Security,  and  Openness  in  a Networked  World,  May 
20 1 1 , at  http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf. 


Congressional  Research  Service 


1 


Cybersecurity:  Authoritative  Reports  and  Resources 


Table  1.  Major  Legislation:  Senate  (1  12th  Congress) 

Bill  No. 

Title 

Committee(s) 

Date  Introduced 

S.4I3 

Cybersecurity  and  Internet  Freedom  Act 
of  201 1 

Homeland  Security  and 
Governmental  Affairs 

February  1 7,  20 1 1 

S.  1151 

Personal  Data  Privacy  and  Security  Act 
of  2011 

Judiciary 

June  7,2011 

S.  1342 

Grid  Cyber  Security  Act 

Energy  and  Natural  Resources 

July  1 1,  201  1 

S.  1535 

Personal  Data  Protection  and  Breach 
Accountability  Act  of  20 1 1 

Judiciary 

September  22,  201  1 

S.  2102 

Cybersecurity  Information  Sharing  Act 
of  2012 

Homeland  Security  and 
Governmental  Affairs 

February  1 3,  20 1 2 

S.  2105 

Cybersecurity  Act  of  20 1 2 

Homeland  Security  and 
Governmental  Affairs 

February  14,  2012 

Source:  Legislative  Information  System  (LIS). 

Table  2.  Major  Legislation:  House  (1  1 2th  Congress) 

Bill  No. 

Title 

Committee(s) 

Date  Introduced 

H.R.  76 

Cybersecurity  Education  Enhancement 
Act  of  201  1 

Homeland  Security;  House 
Oversight  and  Government  Reform 

January  5,  20 1 1 

H.R.  174 

Homeland  Security  Cyber  and  Physical 
Infrastructure  Protection  Act  of  201  1 

Technology;  Education  and  the 
Workforce;  Homeland  Security 

January  5,  20 1 1 

H.R.  2096 

Cybersecurity  Enhancement  Act  of  201  1 

Science,  Space,  and  Technology 

June  2,2011 

H.R.  3523 

Cyber  Intelligence  Sharing  and 
Protection  Act 

Committee  on  Intelligence 
(Permanent  Select) 

November  30,  20 1 1 

H.R.  3674 

PRECISE  Act  of  201  1 

Homeland  Security;  Oversight  and 
Government  Reform;  Science, 
Space,  and  Technology;  Judiciary; 
Intelligence  (Permanent  Select) 

December  1 5,  20 1 1 

H.R.  4263 

SECURE  IT  Act  of  2012  Strengthening  and 
Enhancing  Cybersecurity  by  Using 
Research,  Education,  Information,  and 

Oversight  and  Government  Reform, 
the  J udiciary,  Armed  Services,  and 
Intelligence  (Permanent  Select) 

March  27,  2012 

H.R.  3834 

Advancing  America's  Networking  and 
Information  Technology  Research  and 
Development  Act  of  2012 

Science,  Space,  and  Technology 

January  27,  20 1 2 

H.R.  4257 

Federal  Information  Security  Amendments 
Act  of  2012 

Oversight  and  Government  Reform 

April  18,  2012 

Source:  Legislative  Information  System  (LIS). 

Hearings  in  the  112th  Congress 

The  following  tables  list  cybersecurity  hearings  in  the  1 12th  Congress.  Table  3 and  Table  4 
contain  identical  content  but  organized  differently.  Table  3 lists  House  hearings,  arranged  by  date 
(most  recent  first)  and  Table  4 lists  House  hearings,  arranged  by  committee.  Table  5 lists  House 
markups  by  date,  Table  6 and  Table  7 contain  identical  content.  Table  6 lists  Senate  hearings, 
arranged  by  date  and  Table  7 lists  Senate  hearings  arranged  by  committee.  When  viewed  in 
HTML,  the  document  titles  are  active  links. 
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Table  3 

. House  Hearings  (1  1 2th  Congress),  by  Date 

Title 

Date 

Committee 

Subcommittee 

Iranian  Cyber  Threat  to  U.S.  Homeland 

April  26,  2012 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies  and  Counterterrorism 
and  Intelligence 

America  is  Under  Cyber  Attack:  Why  Urgent  Action  is 
Needed 

April  24,  2012 

Homeland  Security 

Oversight,  1 nvestigations  and  Management 

The  DHS  and  DOE  National  Labs:  Finding  Efficiencies  and 
Optimizing  Outputs  in  Homeland  Security  Research  and 
Development 

April  19,  2012 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Cybersecurity:  Threats  to  Communications  Networks  and 
Public- Sector  Responses 

March  28,  2012 

Energy  and  Commerce 

Communications  and  Technology 

IT  Supply  Chain  Security:  Review  of  Government  and 
1 ndustry  Efforts 

March  27,  2012 

Energy  and  Commerce 

Oversight  and  1 nvestigations 

Fiscal  2013  Defense  Authorization:  IT  and  Cyber 
Operations 

March  20,  2012 

Armed  Services 

Emerging  Threats  and  Capabilities 

Cybersecurity:  The  Pivotal  Role  of  Communications 
Networks 

March  7,  2012 

Energy  and  Commerce 

Communications  and  Technology 

NASA  Cybersecurity:  An  Examination  of  the  Agency's 
1 nformation  Security 

February  29,  2012 

Science,  Space,  and  Technology 

1 nvestigations  and  Oversight 

Critical  1 nfrastructure  Cybersecurity:  Assessments  of 
Smart  Grid  Security 

February  28,  2012 

Energy  and  Commerce 

Oversight  and  1 nvestigations 

Hearing  on  Draft  Legislative  Proposal  on  Cybersecurity 

December  6,  20 1 1 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Cyber  Security:  Protecting  Your  Small  Business 

December  1 , 20 1 1 

Small  Business 

Healthcare  and  Technology 

Cyber  Security:  Protecting  Your  Small  Business 

November  30,  20 1 1 

Small  Business 

Healthcare  and  Technology 

Combating  Online  Piracy  (H.R.  3261,  Stop  the  Online 
Piracy  Act) 

November  1 6,  20 1 1 

Judiciary 

Cybersecurity:  Protecting  America's  New  Frontier 

November  1 5,  201  1 

Judiciary 

Crime,  Terrorism  and  Homeland  Security 

Institutionalizing  Irregular  Warfare  Capabilities 

November  3,  20 1 1 

Armed  Services 

Emerging  Threats  and  Capabilities 

Cloud  Computing:  What  are  the  Security  1 mplications? 

October6,  20 1 1 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Cyber  Threats  and  Ongoing  Efforts  to  Protect  the  Nation 

October  4,  20 1 1 

Permanent  Select  1 ntelligence 

CRS-3 


Title 


Date 


The  Cloud  Computing  Outlook  September  21,  201  I 

Combating  Cybercriminals  September  14,  201  I 

Cybersecurity:  An  Overview  of  Risks  to  Critical  July  26,  201  I 

I nfrastructure 

Cybersecurity:  Assessing  the  Nation's  Ability  to  Address  July  7,  20 1 I 
the  Growing  Cyber  Threat 

Field  Hearing:  Hacked  Off:  Helping  Law  Enforcement  June  29,201  I 

Protect  Private  Financial  I nformation 

Examining  the  Homeland  Security  I impact  of  the  Obama  June  24,  20 1 I 
Administration's  Cybersecurity  Proposal 

Sony  and  Epsilon:  Lessons  for  Data  Security  Legislation  June  2,  201  I 

Protecting  the  Electric  Grid:  the  Grid  Reliability  and  May  31,  201  I 

I nfrastructure  Defense  Act 

Unlocking  the  SAFETY  Act's  [Support  Anti-terrorism  by  May  26,  20 1 I 
Fostering  Effective  Technologies  - P.L  107-296]  Potential 
to  Promote  Technology  and  Combat  Terrorism 

Protecting  Information  in  the  Digital  Age:  Federal  May  25,  201  I 

Cybersecurity  Research  and  Development  Efforts 

Cybersecurity:  I nnovative  Solutions  to  Challenging  May  25,  20 1 I 

Problems 

Cybersecurity:  Assessing  the  I immediate  Threat  to  the  May  25,  20 1 I 
United  States 

DHS  Cybersecurity  Mission:  Promoting  I nnovation  and  April  I 5,  20 1 I 
Securing  Critical  I nfrastructure 

Communist  Chinese  Cyber-Attacks,  Cyber- Espionage  and  April  I 5,  20 1 I 
Theft  of  American  Technology 

Budget  Hearing  - National  Protection  and  Programs  March  31,  201  I 

Directorate,  Cybersecurity  and  Infrastructure  Protection 

Programs 

Examining  the  Cyber  Threat  to  Critical  I nfrastructure  and  March  1 6,  20 1 I 
the  American  Economy 

2012  Budget  Request  from  U.S.  Cyber  Command  March  1 6,  20 1 I 

What  Should  the  Department  of  Defense's  Role  in  Cyber  February  I 1 , 20 1 I 
Be? 


CRS-4 


Cybersecurity:  Authoritative  Reports  and  Resources 


Committee 

Science,  Space,  and  Technology 
Financial  Services 
Energy  and  Commerce 

Oversight  and  Government  Reform 

Financial  Services  (field  hearing  in 
Hoover,  AL) 

Homeland  Security 

Energy  and  Commerce 
Energy  and  Commerce 

Homeland  Security 

Science,  Space  and  Technology 
J udiciary 

Oversight  and  Government  Reform 
Homeland  Security 
Foreign  Affairs 

Appropriations  (closed/classified) 

Homeland  Security 

Armed  Services 
Armed  Services 


Subcommittee 

Technology  and  I nnovation 

Financial  I nstitutions  and  Consumer  Credit 

Oversight  and  I nvestigations 


Cybersecurity,  I nfrastructure  Protection  and 
Security  Technologies 

Commerce,  Manufacturing,  and  Trade 

Cybersecurity,  Infrastructure  Protection, 
and  Security  Technologies 


I ntellectual  Property,  Competition  and  the 
I nternet 

National  Security,  Homeland  Defense  and 
Foreign  Operations 

Cybersecurity,  I nfrastructure  Protection  and 
Security  Technologies 

Oversight  and  I nvestigations 


Cybersecurity,  I nfrastructure  Protection  and 
Security  Technologies 

Emerging  Threats  and  Capabilities 

Emerging  Threats  and  Capabilities 


Research  and  Science  Education 


Energy  and  Power 
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Title 

Date 

Committee 

Subcommittee 

Preventing  Chemical  Terrorism:  Building  a Foundation  of 
Security  at  Our  Nation's  Chemical  Facilities 

February 

1 1,  201  1 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

World  Wide  Threats 

February 

10,  201  1 

Permanent  Select  1 ntelligence 

Source:  Compiled  by  the  Congressional  Research  Service  (CRS). 
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Table  4.  House  Hearings  (I  I 2th  Congress),  by  Committee 
Committee  Subcommittee  Title 


Budget  Hearing  - National  Protection  and  Programs  Directorate,  Cybersecurity 
and  I nfrastructure  Protection  Programs 


Appropriations 

(closed/classified) 

Armed  Services 

Emerging  Threats  and  Capabilities 

Armed  Services 

Emerging  Threats  and  Capabilities 

Armed  Services 

Emerging  Threats  and  Capabilities 

Armed  Services 

Emerging  Threats  and  Capabilities 

Energy  and  Commerce 

Communications  and  Technology 

Energy  and  Commerce 

Oversight  and  1 nvestigations 

Energy  and  Commerce 

Communications  and  Technology 

Energy  and  Commerce 

Oversight  and  1 nvestigations 

Energy  and  Commerce 

Oversight  and  1 nvestigations 

Energy  and  Commerce 

Commerce,  Manufacturing,  and  Trade 

Energy  and  Commerce 

Energy  and  Power 

Financial  Services 

Financial  Institutions  and  Consumer  Credit 

Financial  Services 

Field  hearing  in  Hoover,  AL 

Foreign  Affairs 

Oversight  and  1 nvestigations 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies  and  Counterterrorism 
and  Intelligence 

Homeland  Security 

Oversight,  1 nvestigations  and  Management 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Fiscal  2013  Defense  Authorization:  IT  and  Cyber  Operations 

I nstitutionalizing  I rregular  Warfare  Capabilities 

2012  Budget  Request  for  U.S.  Cyber  Command 

What  Should  the  Department  of  Defense's  Role  in  Cyber  Be? 

Cybersecurity:  Threats  to  Communications  Networks  and  Public- Sector 
Responses 

IT  Supply  Chain  Security:  Review  of  Government  and  I ndustry  Efforts 

Cybersecurity:  The  Pivotal  Role  of  Communications  Networks 

Critical  I nfrastructure  Cybersecurity:  Assessments  of  Smart  Grid  Security 

Cybersecurity:  An  Overview  of  Risks  to  Critical  I nfrastructure 

Sony  and  Epsilon:  Lessons  for  Data  Security  Legislation 

Protecting  the  Electric  Grid:  the  Grid  Reliability  and  I nfrastructure  Defense 
Act 

Combating  Cybercriminals 

Field  Hearing:  "Hacked  Off:  Helping  Law  Enforcement  Protect  Private 
Financial  I nformation 

Communist  Chinese  Cyber-Attacks,  Cyber- Espionage  and  Theft  of  American 
Technology 

I ranian  Cyber  Threat  to  U.S.  Homeland 

America  is  Under  Cyber  Attack:  Why  Urgent  Action  is  Needed 

The  DHS  and  DOE  National  Labs:  Finding  Efficiencies  and  Optimizing  Outputs 
in  Homeland  Security  Research  and  Development 

Hearing  on  Draft  Legislative  Proposal  on  Cybersecurity 


Date 

March  31,  2011 

March  20,  2012 
November  3,  2011 
March  16,  201  I 
February  I 1 , 20 1 I 
March  28,  2012 

March  27,  2012 
March  7,  2012 
February  28,  2012 
July  26,  201  I 
June  2,2011 
May  31,  201  I 

September  14,  201  I 
June  29,  201  I 

April  15,  201  I 

April  26,  2012 

April  24,  2012 
April  19,  2012 

December  6,  20 1 I 
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Committee 

Subcommittee 

Title 

Date 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Cloud  Computing:  What  are  the  Security  1 mplications? 

October  6,201  1 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Examining  the  Homeland  Security  1 mpact  of  the  Obama  Administration's 
Cybersecurity  Proposal 

June  24,  201  1 

Homeland  Security 

Unlocking  the  SAFETY  Act's  [Support  Anti-terrorism  by  Fostering  Effective 
Technologies  - P.L.  107-296]  Potential  to  Promote  Technology  and  Combat 
Terrorism 

May  26,  201  1 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

DHS  Cybersecurity  Mission:  Promoting  Innovation  and  Securing  Critical 
1 nfrastructure 

April  15,  201  1 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Examining  the  Cyber  Threat  to  Critical  1 nfrastructure  and  the  American 
Economy 

March  16,  201  1 

Homeland  Security 

Cybersecurity,  1 nfrastructure  Protection  and 
Security  Technologies 

Preventing  Chemical  Terrorism:  Building  a Foundation  of  Security  at  Our 
Nation's  Chemical  Facilities 

February  1 1,  201  1 

Judiciary 

Combating  Online  Piracy  (H.R.  3261,  Stop  the  Online  Piracy  Act) 

November  1 6,  20 1 1 

Judiciary 

Crime,  Terrorism  and  Homeland  Security 

Cybersecurity:  Protecting  America’s  New  Frontier 

November  1 5,  20 1 1 

Judiciary 

Intellectual  Property,  Competition  and  the 
1 nternet 

Cybersecurity:  Innovative  Solutions  to  Challenging  Problems 

May  25,  201  1 

Oversight  and 
Government  Reform 

Cybersecurity:  Assessing  the  Nation's  Ability  to  Address  the  Growing  Cyber 
Threat 

July  7,  201  1 

Oversight  and 
Government  Reform 

Subcommittee  on  National  Security,  Homeland 
Defense  and  Foreign  Operations 

Cybersecurity:  Assessing  the  1 immediate  Threat  to  the  United  States 

May  25,  201  1 

Permanent  Select 
Intelligence 

Cyber  Threats  and  Ongoing  Efforts  to  Protect  the  Nation 

October  4,20 1 1 

Permanent  Select 
Intelligence 

World  Wide  Threats 

February  1 0,  20 1 1 

Science,  Space  and 
Technology 

1 nvestigations  and  Oversight 

NASA  Cybersecurity:  An  Examination  of  the  Agency's  1 nformation  Security 

February  29,  2012 

Science,  Space  and 
Technology 

Technology  and  1 nnovation 

The  Cloud  Computing  Outlook 

September  21,  201  1 

Science,  Space  and 
Technology 

Research  and  Science  Education 

Protecting  Information  in  the  Digital  Age:  Federal  Cybersecurity  Research  and 
Development  Efforts 

May  25,  201  1 

Small  Business 

Healthcare  and  Technology 

Cyber  Security:  Protecting  Your  Small  Business 

November  30,  20 1 1 

Source:  Compiled  by  CRS. 
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Table  5.  House  Markups  (1  1 2th  Congress),  by  Date 

Title 

Date 

Committee 

Subcommittee 

Consideration  and  Markup  of  H.R.  3674 

February  1 , 2012 

Homeland  Security 

Cybersecurity,  Infrastructure 
Protection  and  Security  Technologies 

Markup:  Draft  Bill:  Cyber  Intelligence  Sharing  and  Protection  Act  of  2011 

December  1 , 20 1 1 

Permanent  Select  Intelligence 

Markup  on  H.R.  2096,  Cybersecurity  Enhancement  Act  of  2011 

July  21, 201  1 

Science,  Space  and  Technology 

Discussion  Draft  of  H.R.  2577,  a bill  to  require  greater  protection  for  sensitive 
consumer  data  and  timely  notification  in  case  of  breach 

June  15,  201  1 

Energy  and  Commerce 

Commerce,  Manufacturing,  and 
Trade 

Source:  Compiled  by  CR.S. 
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Table  6.  Senate  Hearings  (I  I 2th  Congress),  by  Date 


Title 

To  receive  testimony  on  U.S.  Strategic  Command  and  U.S.  Cyber  Command  in 
review  of  the  Defense  Authorization  Request  for  Fiscal  Year  20 1 3 and  the 
Future  Years  Defense  Program. 

To  receive  testimony  on  cybersecurity  research  and  development  in  review  of  the 
Defense  Authorization  Request  for  Fiscal  Year  2013  and  the  Future  Years  Defense 
Program 

The  Freedom  of  I nformation  Act:  Safeguarding  Critical  I nfrastructure  I nformation 
and  the  Public's  Right  to  Know 

Securing  America's  Future:  The  Cybersecurity  Act  of  2012 

Cybercrime:  Updating  the  Computer  Fraud  and  Abuse  Act  to  Protect  Cyberspace 
and  Combat  Emerging  Threats 

Role  of  Small  Business  in  Strengthening  Cybersecurity  Efforts  in  the  United  States 

Privacy  and  Data  Security:  Protecting  Consumers  in  the  Modern  World 

Cybersecurity:  Evaluating  the  Administration's  Proposals 

Cybersecurity  and  Data  Protection  in  the  Financial  Sector 

Protecting  Cyberspace:  Assessing  the  White  House  Proposal 

Cybersecurity  of  the  Bulk-Power  System  and  Electric  Infrastructure 

To  receive  testimony  on  the  health  and  status  of  the  defense  industrial  base  and 
its  science  and  technology-related  elements 

Cyber  Security:  Responding  to  the  Threat  of  Cyber  Crime  and  Terrorism 

Oversight  of  the  Federal  Bureau  of  I nvestigation 

Cybersecurity  and  Critical  Electric  I nfrastructure  (see  Table  Note) 

I nformation  Sharing  in  the  Era  of  WikiLeaks:  Balancing  Security  and  Collaboration 
Homeland  Security  Department's  Budget  Submission  for  Fiscal  Year  2012 


Date 

March  27,  2012 
March  20,  2012 

March  13,  2012 

February  16,  2012 
September  7,  20 1 I 

July  25,  201  I 
June  29,  2011 
June  21, 201  I 
June  21,  201  I 
May  23,  201  I 
May  5,  2011 
May  3,  201  I 

April  12,  201  I 
March  30,  201  I 
March  15,  201  I 
March  10,  201  I 
February  1 7,  20 1 I 


Committee 

Armed  Services 
Armed  Services 
J udiciary 

Homeland  Security  and  Governmental  Affairs 
Judiciary 

Small  Business  and  Entrepreneurship 
Commerce,  Science  and  Transportation 
J udiciary 

Banking,  Housing  and  Urban  Affairs 
Homeland  Security  and  Governmental  Affairs 
Energy  and  Natural  Resources 
Armed  Services 

J udiciary 
Judiciary 

Energy  and  Natural  Resources 

Homeland  Security  and  Governmental  Affairs 

Homeland  Security  and  Governmental  Affairs 


Subcommittee 


Emerging  Threats  and 
Capabilities 


Crime  and  Terrorism 


Emerging  Threats  and 
Capabilities 

Crime  and  Terrorism 


Source:  Compiled  by  CRS. 

Note:  The  March  15,  201  I hearing  before  the  Committee  on  Energy  and  Natural  Resources  was  closed.  The  hearing  notice  was  removed  from  the  committee’s  website. 
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Table  7.  Senate  Hearings  (1  1 2th  Congress),  by  Committee 

Committee 

Subcommittee 

Title 

Date 

Armed  Services 

Emerging  Threats  and 
Capabilities 

To  receive  testimony  on  cybersecurity  research  and  development  in  review  of 
the  Defense  Authorization  Request  for  Fiscal  Year  2013  and  the  Future  Years 
Defense  Program 

March  30,  2012 

Armed  Services 

Emerging  Threats  and 
Capabilities 

To  receive  testimony  on  the  health  and  status  of  the  defense  industrial  base 
and  its  science  and  technology-related  elements 

May  3,  2011 

Banking,  Housing  and  Urban  Affairs 

Cybersecurity  and  Data  Protection  in  the  Financial  Sector 

June  21,  201  1 

Commerce,  Science  and  Transportation 

Privacy  and  Data  Security:  Protecting  Consumers  in  the  Modern  World 

June  29,  201  1 

Energy  and  Natural  Resources 

Cybersecurity  of  the  Bulk-Power  System  and  Electric  Infrastructure 

May  5,  201  1 

Energy  and  Natural  Resources  (closed) 

Cybersecurity  and  Critical  Electric  1 nfrastructure3 

March  15,  201  1 

Homeland  Security  & Governmental  Affairs 

Securing  America's  Future:  The  Cybersecurity  Act  of  2012 

February  16,  2012 

Homeland  Security  and  Governmental  Affairs 

Protecting  Cyberspace:  Assessing  the  White  House  Proposal 

May  23,  201  1 

Homeland  Security  and  Governmental  Affairs 

1 nformation  Sharing  in  the  Era  of  WikiLeaks:  Balancing  Security  and 
Collaboration 

March  10,  201  1 

Homeland  Security  and  Governmental  Affairs 

Homeland  Security  Department's  Budget  Submission  for  Fiscal  Year  2012 

February  1 7,  20 1 1 

Judiciary 

The  Freedom  of  1 nformation  Act:  Safeguarding  Critical  1 nfrastructure 
1 nformation  and  the  Public's  Right  to  Know 

March  13,  2012 

Judiciary 

Cybercrime:  Updating  the  Computer  Fraud  and  Abuse  Act  to  Protect 
Cyberspace  and  Combat  Emerging  Threats 

September  7,  20 1 1 

Judiciary 

Crime  and  Terrorism 

Cybersecurity:  Evaluating  the  Administration's  Proposals 

June  21,  201  1 

Judiciary 

Crime  and  Terrorism 

Cyber  Security:  Responding  to  the  Threat  of  Cyber  Crime  and  Terrorism 

April  12,  201  1 

Judiciary 

Oversight  of  the  Federal  Bureau  of  1 nvestigation 

March  30,  201  1 

Small  Business  and  Entrepreneurship 

Role  of  Small  Business  in  Strengthening  Cybersecurity  Efforts  in  the  United 
States 

July  25,  201  1 

Source:  Compiled  by  CRS. 

a.  The  March  15,  201  I hearing  before  the  Committee  on  Energy  and  Natural  Resources  was  closed.  The  hearing  notice  was  removed  from  the  committee’s  website. 
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Executive  Orders  and  Presidential  Directives 

Executive  orders  are  official  documents  through  which  the  President  of  the  United  States 
manages  the  operations  of  the  federal  government.  Presidential  directives  pertain  to  all  aspects  of 
U.S.  national  security  policy  and  are  signed  or  authorized  by  the  President. 

The  following  reports  provide  additional  information  on  executive  orders  and  presidential 
directives: 

• CRS  Report  RS20846,  Executive  Orders:  Issuance,  Modification,  and 
Revocation,  by  Vanessa  K.  Burrows  and 

• CRS  Report  98-6 1 1 , Presidential  Directives:  Background  and  Overview,  by  L. 

Elaine  Halchin. 

Table  8 provides  a list  of  executive  orders  and  presidential  directives  pertaining  to  information 
and  computer  security. 
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Table  8.  Executive  Orders  and  Presidential  Directives 

(by  date  of  issuance) 

Title  Date  Source  Notes 


E.O.  13587,  Structural  Reforms  to  Improve  the  Security  of  October  7,  201  I 

Classified  Networks  and  the  Responsible 

http://www.gpo.gov/fdsys/pkg/FR-20 1 I - 1 0- 1 3/pdf/20 1 I - 
26729.pdf 


White  House  This  order  directs  structural  reforms  to  ensure  responsible 

sharing  and  safeguarding  of  classified  information  on 
computer  networks  that  shall  be  consistent  with  appropriate 
protections  for  privacy  and  civil  liberties.  Agencies  bear  the 
primary  responsibility  for  meeting  these  twin  goals.  These 
policies  and  minimum  standards  will  address  all  agencies  that 
operate  or  access  classified  computer  networks,  all  users  of 
classified  computer  networks  (including  contractors  and 
others  who  operate  or  access  classified  computer  networks 
controlled  by  the  Federal  Government),  and  all  classified 
information  on  those  networks. 


E.O.  1 3407,  Public  Alert  and  Warning  System  June  26,  2006 

http://www.gpo.gov/fdsys/pkg/WCPD-2006-07-03/pdf/WCPD- 

2006-07-03-Pgl226.pdf 


HSPD-7,  Homeland  Security  Presidential  Directive  No.  7:  December  17,  2003 

Critical  Infrastructure  Identification,  Prioritization,  and 

Protection 

http://www.dhs.gov/xabout/laws/gc_l  2 1 4597989952.shtm 

E.O.  1 3286,  Amendment  of  Executive  Orders,  and  Other  February  28,  2003 

Actions,  in  Connection  With  the  Transfer  of  Certain  Functions 
to  the  Secretary  of  Homeland  Security 

http://edocket.access.gpo.gov/2003/pdf/03-5343.pdf 


White  House  Assigns  the  Secretary  of  Homeland  Security  the 

responsibility  to  establish  or  adopt,  as  appropriate,  common 
alerting  and  warning  protocols,  standards,  terminology,  and 
operating  procedures  for  the  public  alert  and  warning  system 
to  enable  interoperability  and  the  secure  delivery  of 
coordinated  messages  to  the  American  people  through  as 
many  communication  pathways  as  practicable,  taking  account 
of  Federal  Communications  Commission  rules  as  provided 
by  law. 

White  House  Assigns  the  Secretary  of  Homeland  Security  the 

responsibility  of  coordinating  the  nation’s  overall  efforts  in 
critical  infrastructure  protection  across  all  sectors.  HSPD-7 
also  designates  the  Department  of  Homeland  Security  (DHS) 
as  lead  agency  for  the  nation’s  information  and 
telecommunications  sectors. 

White  House  Designates  the  Secretary  of  Homeland  Security  the  Executive 

Agent  of  the  National  Communication  System  Committee  of 
Principals,  which  are  the  agencies,  designated  by  the 
President,  that  own  or  lease  telecommunication  assets 
identified  as  part  of  the  National  Communication  System,  or 
which  bear  policy,  regulatory,  or  enforcement  responsibilities 
of  importance  to  national  security  and  emergency 
preparedness  telecommunications. 
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Title 

Date 

Source 

Notes 

Presidential  Decision  Directive/NSC-63 
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm 

May  22,  1998 

White  House 

Sets  as  a national  goal  the  ability  to  protect  the  nation's 
critical  infrastructure  from  intentional  attacks  (both  physical 
and  cyber)  by  the  year  2003.  According  to  the  PDD,  any 
interruptions  in  the  ability  of  these  infrastructures  to  provide 
their  goods  and  services  must  be  “brief,  infrequent, 
manageable,  geographically  isolated,  and  minimally 
detrimental  to  the  welfare  of  the  United  States." 

NSD-42,  National  Security  Directive  42  - National  Policy  for 
the  Security  of  National  Security  Telecommunications  and 
Information  Systems 

http://bushlibrary.tamu.edu/research/pdfs/nsd/nsd42.pdf 

July  5,  1990 

White  House 

Establishes  the  National  Security  Telecommunications  and 
Information  Systems  Security  Committee,  now  called  the 
Committee  on  National  Security  Systems  (CNSS).  CNSS  is 
an  interagency  committee,  chaired  by  the  Department  of 
Defense.  Among  other  assignments,  NSD-42  directs  the 
CNSS  to  provide  system  security  guidance  for  national 
security  systems  to  executive  departments  and  agencies;  and 
submit  annually  to  the  Executive  Agent  an  evaluation  of  the 
security  status  of  national  security  systems.  NSD-42  also 
directs  the  Committee  to  interact,  as  necessary,  with  the 
National  Communications  System  Committee  of  Principals. 

E.O.  12472,  Assignment  of  National  Security  and  Emergency 
Preparedness  Telecommunications  Functions  (amended  by  E.O. 
1 3286  of  February  28,  2003  and  changes  made  by  E.O.  1 3407, 
June  26,  2006) 

http://www.ncs.gov/library/policy_docs/eo_l  2472.html 

April  3,  1984 

National 

Communications 
System  (NCS) 

Established  a national  communication  system  as  those 
telecommunication  assets  owned  or  leased  by  the  federal 
government  that  can  meet  the  national  security  and 
emergency  preparedness  needs  of  the  federal  government, 
together  with  an  administrative  structure  that  could  ensure 
that  a national  telecommunications  infrastructure  is 
developed  that  is  responsive  to  national  security  and 
emergency  preparedness  needs. 

Note:  Descriptions  compiled  by  CRS  from  government  websites. 
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Data  and  Statistics 

This  section  identifies  data  and  statistics  from  government,  industry,  and  IT  security  firms 
regarding  the  current  state  of  cybersecurity  threats  in  the  United  States  and 
internationally.  These  include  incident  estimates,  costs,  and  annual  reports  on  data 
security  breaches,  identity  theft,  cyber  crime,  malware,  and  network  security. 
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Table  9.  Data  and  Statistics:  Cyber  Incidents,  Data  Breaches,  Cyber  Crime 


Title 


Date 


Source  Pages 


Notes 


Worldwide  Threat  Assessment:  Infection  Rates  and  Threat  ongoing 
Trends  by  Location 

http://www.microsoft.com/security/sir/threat/ 
defau  It.aspx# ! i ntroduction 

McAfee  Research  & Reports  (multiple)  2009-2012 

http://www.mcafee.com/us/about/newsroom/research- 

reports.aspx 

Significant  Cyber  Incidents  Since  2006  January  19,2012 

http://csis.org/publication/cyber-events-2006 


Microsoft  Security 
Intelligence  Report 
(SIR) 


McAfee 


Center  for 
Strategic  and 
International 
Studies  (CSIS) 


201  I ITRC  Breach  Report  Key  Findings 

http://www.idtheftcenter.org/artman2/publish/ 
headlines/Breaches  20ll.shtml 


December  10,  201  I 


Identity  Theft 
Resource  Center 


(ITRC) 


The  Risk  of  Social  Engineering  on  Information  Security:  A September  20 1 I Check  Point 
Survey  of  IT  Professionals 

http://www.checkpoint.com/press/down  loads/social- 
engineering-survey. pdf 


N/A  Data  on  infection  rates,  malicious  websites 
and  threat  trends  by  regional  location, 
worldwide. 


N/A  Links  to  reports  on  cybersecurity  threats, 
malware,  cybercrime,  and  spam. 

9 A list  of  significant  cyber  events  since  2006. 
From  the  report,  “Significance  is  in  the  eye 
of  the  beholder,  but  we  focus  on  successful 
attacks  on  government  agencies,  defense  and 
high  tech  companies,  or  economic  crimes 
with  losses  of  more  than  a million  dollars.” 

N/A  According  to  the  report,  hacking  attacks 

were  responsible  for  more  than  one-quarter 
(25.8%)  of  the  data  breaches  recorded  in  the 
Identity  Theft  Resource  Center’s  201 1 
Breach  Report,  hitting  a five-year  all  time  high. 
This  was  followed  by  “Data  on  the  Move” 
(when  an  electronic  storage  device,  laptop 
or  paper  folders  leave  the  office  where  it  is 
normally  stored)  and  "Insider  Theft,”  at 
1 8. 1 % and  1 3.4%  respectively. 

7 [The]  report  reveals  48%  of  large  companies 
and  32%  of  companies  of  all  sizes  surveyed 
have  been  victims  of  social  engineering, 
experiencing  25  or  more  attacks  in  the  past 
two  years,  costing  businesses  anywhere 
from  $25,000  to  over  $100,000  per  security 
incident.  [P]hishing  and  social  networking 
tools  are  the  most  common  sources  of 
socially-engineering  threats. 
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Title 

Date 

Source 

Pages 

Notes 

Second  Annual  Cost  of  Cyber  Crime  Study 

http://www.arcsight.com/collateral/whitepapers/ 
20 1 l_Cost_of_Cyber_Crime_Study_August.pdf 

August  20 1 1 

Ponemon  Institute 

30 

[T]he  median  annualized  cost  for  50 
benchmarked  organizations  is  $5.9  million 
per  year,  with  a range  from  $ 1 .5  million  to 
$36.5  million  each  year  per  company.  This 
represents  an  increase  in  median  cost  of  56 
percent  from  [Ponemon's]  first  cyber  cost 
study  published  last  year. 

Revealed:  Operation  Shady  RAT:  an  Investigation  of 
Targeted  Intrusions  into  70+  Global  Companies, 
Governments,  and  Non-Profit  Organizations  During  the 
Last  5 Years 

http://www.mcafee.com/us/resources/white-papers/wp- 

operation-shady-rat.pdf 

August  2,  201  1 

McAfee  Research 
Labs 

14 

A comprehensive  analysis  of  victim  profiles 
from  a five-year  targeted  operation  which 
penetrated  72  government  and  other 
organizations,  most  of  them  in  the  US,  and 
copied  everything  from  military  secrets  to 
industrial  designs.  See  page  4 for  types  of 
compromised  parties,  page  5 for  geographic 
distribution  of  victim’s  country  of  origin, 
pages  7-9  for  types  of  victims,  and  pages  10- 
1 3 for  the  number  of  intrusions  for  2007- 
2010. 

20 1 0 Annual  Study:  U.S.  Cost  of  a Data  Breach 

http://www.symantec.com/content/en/us/about/media/pdfs/ 

symantec_ponemon_data_breach_costs_report.pdf? 

om_ext_cid= 

biz_socmed_twitter_facebook_marketwire_linkedin 
_20 1 1 Mar_worldwide_costofdatabreach 

March  201  1 

Ponemon 
1 n stitute/Sy  mantec 

39 

The  average  organizational  cost  of  a data 
breach  increased  to  $7.2  million  and  cost 
companies  an  average  of  $214  per 
compromised  record. 

FY  20 1 0 Report  to  Congress  on  the  Implementation  of  the 
Federal  Information  Security  Management  Act  of  2002 

http://www.whitehouse.gov/sites/default/files/omb/assets/ 
egov_docs/FY  1 0_FISMA.pdf 

March  201  1 

White  House/ 
Office  of 
Management  and 
Budget 

48 

The  number  of  attacks  against  federal 
networks  increased  nearly  40%  last  year, 
while  the  number  of  incidents  targeting  U.S. 
computers  overall  was  down  roughly  1%  for 
the  same  period.  (See  pp.  12-13). 

A Good  Decade  for  Cybercrime:  McAfee’s  Look  Back  at 
Ten  Years  of  Cybercrime 

December  29, 
2010 

McAfee 

1 1 

A review  of  the  most  publicized,  pervasive, 
and  costly  cybercrime  exploits  from  2000- 

http://www.mcafee.com/us/resources/reports/ 

rp-good-decade-for-cybercrime.pdf 

2010. 

Note:  Statistics  are  from  the  source  publication  and  have  not  been  independently  verified  by  CRS. 
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Cybersecurity  Glossaries 

Table  10  includes  links  to  glossaries  of  useful  cybersecurity  terms,  including  those  related  to  cloud  computing  and  cyberwarfare. 


Table  10.  Glossaries  of  Cybersecurity  Terms 


Title 

Source 

Date 

Pages 

Notes 

Cloud  Computing  Reference  Architecture 

http://collaborate.nist.gov/twiki-cloud-computing/pub/ 

CloudComputing/ReferenceArchitectureTaxonomy/ 

NIST_SP_500-292_-_0906ll.pdf 

National  Institute  of 
Standards  and 
Technology  (NIST) 

September  20 1 1 

35 

Provides  guidance  to  specific  communities  of  practitioners 
and  researchers. 

Glossary  of  Key  Information  Security  Terms 

http://collaborate.nist.gov/twiki-cloud-computing/pub/ 

CloudComputing/ReferenceArchitectureTaxonomy/ 

NIST_SP_500-292_-_0906ll.pdf 

NIST 

February  20 1 1 

211 

The  glossary  provides  a central  resource  of  terms  and 
definitions  most  commonly  used  in  NIST  information 
security  publications  and  in  Committee  for  National  Security 
Systems  (CNSS)  information  assurance  publications. 

CIS  Consensus  Information  Security  Metrics 

http://collaborate.nist.gov/twiki-cloud-computing/pub/ 

CloudComputing/ReferenceArchitectureTaxonomy/ 

NIST_SP_500-292_-_0906ll.pdf 

Center  for  Internet 
Security 

November  20 1 0 

175 

Provides  definitions  for  security  professionals  to  measure 
some  of  the  most  important  aspects  of  the  information 
security  status.  The  goal  is  to  give  an  organization  the  ability 
to  repeatedly  evaluate  security  in  a standardized  way, 
allowing  it  to  identify  trends,  understand  the  impact  of 
activities  and  make  responses  to  improve  the  security 
status.  (Free  registration  required.) 

Joint  Terminology  for  Cyberspace  Operations 

http://collaborate.nist.gov/twiki-cloud-computing/pub/ 
CloudComputing/ReferenceArchitectureTaxonomy/ 
NIST_SP_500-292_-_0906 1 l.pdf 

Chairman  of  the  J oint 
Chiefs  of  Staff 

November  1, 
2010 

16 

This  lexicon  is  the  starting  point  for  normalizing  terms  in  all 
cyber-related  documents,  instructions,  CONOPS,  and 
publications  as  they  come  up  for  review. 

Department  of  Defense  Dictionary  of  Military  and 
Associated  Terms 

http://collaborate.nist.gov/twiki-cloud-computing/pub/ 
CloudComputing/ReferenceArchitectureTaxonomy/ 
NIST_SP_500-292_-_0906l  l.pdf 

Chairman  of  the  J oint 
Chiefs  of  Staff 

November  8, 
2010  (as 
amended 
through  January 
15,2012) 

547 

Provides  joint  policy  and  guidance  for  Information 
Assurance  (IA)  and  Computer  Network  Operations  (CNO) 
activities. 

DHS  Risk  Lexicon 

http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon- 

20l0.pdf 

Department  of 
Homeland  Security 
(DHS)  Risk  Steering 
Committee 

September  20 1 0 

72 

The  lexicon  promulgates  a common  language,  facilitates  the 
clear  exchange  of  structured  and  unstructured  data,  and 
provides  consistency  and  clear  understanding  with  regard  to 
the  usage  of  terms  by  the  risk  community  across  the  DHS. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Reports  by  Topic 

This  section  gives  references  to  analytical  reports  on  cybersecurity  from  CRS,  other 
governmental  agencies,  and  trade  organizations.  The  reports  are  grouped  under  the  following 
cybersecurity  topics:  policy  framework  overview,  critical  infrastructure,  and  cybercrime  and 
national  security. 

For  each  topic,  CRS  reports  are  listed  first  and  then  followed  by  tables  with  reports  from  other 
organizations.  The  overview  reports  provide  an  analysis  of  a broad  range  of  cybersecurity  issues 
(Table  11  to  Table  16).  The  critical  infrastructure  reports  (Table  17)  analyze  cybersecurity  issues 
related  to  telecom  infrastructure,  the  electricity  grid,  and  industrial  control  systems.  The 
cybercrime  and  national  security  reports  (Table  18)  analyze  a wide-range  of  cybersecurity  issues, 
including  identify  theft  and  government  policies  for  dealing  with  cyberwar  scenarios.  In  addition, 
tables  with  selected  reports  on  international  efforts  to  address  cybersecurity  problems,  training  for 
cybersecurity  professionals,  and  research  and  development  efforts  in  other  areas  are  also  provided 
(Table  19  to  Table  21). 

CRS  Reports  Overview:  Cybersecurity  Policy  Framework 

• CRS  Report  R421 14,  Federal  Laws  Relating  to  Cybersecurity:  Discussion  of 
Proposed  Revisions,  by  Eric  A.  Fischer 

• CRS  Report  R41941,  The  Obama  Administration ’s  Cybersecurity  Proposal: 

Criminal  Provisions,  by  Gina  Stevens 

• CRS  Report  R40150,  A Federal  Chief  Technology:  Officer  in  the  Obama 
Administration:  Options  and  Issues  for  Consideration,  by  John  F.  Sargent  Jr. 

• CRS  Report  R42409,  Cybersecurity:  Selected  Legal  Issues,  by  Edward  C.  Liu  et 
al. 


Congressional  Research  Service 
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Table  1 1 . Selected  Reports:  Cybersecu 

rity  Overview 

Title 

Source 

Date 

Pages 

Notes 

Cyber-security:  The  Vexed  Question  of  Global  Rules:  An 
Independent  Report  on  Cyber-Preparedness  Around  the 
World 

http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon- 

20l0.pdf 

McAfee  and  the  Security 
Defense  Agenda 

February 

2012 

108 

The  report  examines  the  current  state  of  cyber- 
preparedness around  the  world,  and  is  based  on  survey 
results  from  80  policy-makers  and  cybersecurity  experts  in 
the  government,  business  and  academic  sectors  from  27 
countries.  The  countries  were  ranked  on  their  state  of 
cyber-preparedness. 

Mission  Critical:  A Public-Private  Strategy  for  Effective 
Cybersecurity 

Business  Roundtable 

October 
1 1,  201  1 

28 

According  to  the  report,  “[pjublic  policy  solutions  must 
recognize  the  absolute  importance  of  leveraging  policy 

http://businessroundtable.org/uploads/studies-reports/ 
downloads/20 1 l_IO_Mission_Critical_A_Public- 
Private_Strategy_for_Effective_Cybersecurity.pdf 


foundations  that  support  effective  global  risk  management, 
in  contrast  to  “check-the-box”  compliance  approaches  that 
can  undermine  security  and  cooperation.  The  document 
concludes  with  specific  policy  proposals  and  activity 
commitments. 


World  Cybersecurity  Technology  Research  Summit 
(Belfast  201  I) 

http://www.csit.qub.ac.uk/media/pdf/ 

Filetoupload,252359,en.pdf 


Centre  for  Secure  September  14 

Information  Technologies  12,2011 

(CSIT) 


The  Belfast  201  I event  attracted  international  cyber 
security  experts  from  leading  research  institutes, 
government  bodies  and  industry  who  gathered  to  discuss 
current  cyber  security  threats,  predict  future  threats  and 
the  necessary  mitigation  techniques,  and  to  develop  a 
collective  strategy  for  next  research. 


A Review  of  Frequently  Used  Cyber  Analogies 

http://www.nsci-va.org/WhitePapers/20 1 I -07-22-Cyber 
Analogies  Whitepaper-K  McKee.pdf 


National  Security 
Cyberspace  Institute 


America’s  Cyber  Future:  Security  and  Prosperity  in  the  Center  for  a New 

Information  Age  American  Security 

http://www.cnas.org/node/6405 


July  22,  7 

201  I 


June  I,  296 

201  I 


The  current  cybersecurity  crisis  can  be  described  several 
ways  with  numerous  metaphors.  Many  compare  the 
current  crisis  with  the  lawlessness  to  that  of  the  Wild  West 
and  the  out-dated  tactics  and  race  to  security  with  the  Cold 
War.  When  treated  as  a distressed  ecosystem,  the  work  of 
both  national  and  international  agencies  to  eradicate  many 
infectious  diseases  serves  as  a model  as  how  poor  health 
can  be  corrected  with  proper  resources  and  execution. 
Before  these  issues  are  discussed,  what  cyberspace  actually 
is  must  be  identified. 

To  help  U.S.  policymakers  address  the  growing  danger  of 
cyber  insecurity,  this  two-volume  report  features  chapters 
on  cyber  security  strategy,  policy,  and  technology  by  some 
of  the  world’s  leading  experts  on  international  relations, 
national  security,  and  information  technology. 
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Title 


Source 


Resilience  of  the  Internet  Interconnection  Ecosystem,  at:  European  Network  and 

http://www.enisa.europa.eu/act/res/other-areas/inter-x/  I nformation  Security 

report/interx-report  Agency  (ENISA) 


Improving  our  Nation’s  Cybersecurity  through  the  Public- 
Private  Partnership:  a White  Paper 

http://www.cdt.org/files/pdfs/ 

20 1 1 0308_cbyersec_paper.pdf 

Cybersecurity  Two  Years  Later 

http://csis.org/files/publication/ 

1101 28_Lewis_CybersecurityTwoYearsLater_ 

Web. pdf 


Business  Software  Alliance, 
Center  for  Democracy  & 
Technology,  U.S.  Chamber 
of  Commerce,  I nternet 
Security  Alliance,  Tech 
America 

CSIS  Commission  on 
Cybersecurity  for  the  44th 
Presidency,  Center  for 
Strategic  and  International 
Studies 


Toward  Better  Usability,  Security,  and  Privacy  of  National  Research  Council 

Information  Technology:  Report  of  a Workshop 

http://www.nap.edu/catalog.php?record_id=  1 2998 


National  Security  Threats  in  Cyberspace 

http://nationalstrategy.eom/Portals/0/National  Security 
Threats  in  Cyberspace  FINAL  09-l5-09.pdf 


Joint  Workshop  of  the 
National  Security  Threats 
in  Cyberspace  and  the 
National  Strategy  Forum 


Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Date  Pages  Notes 

April  I I,  238  Part  I:  Summary  and  Recommendations;  Part  II:  State  of  the 
201  I Art  Review  (a  detailed  description  of  the  Internet’s  routing 

mechanisms  and  analysis  of  their  robustness  at  the 
technical,  economic  and  policy  levels.);  Part  III:  Report  on 
the  Consultation  (a  broad  range  of  stakeholders  were 
consulted.  This  part  reports  on  the  consultation  and 
summarizes  the  results).  Part  IV:  Bibliography  and 
Appendices. 

March  8,  26  This  paper  proposes  expanding  the  existing  partnership 

20 1 I within  the  framework  of  the  National  I nfrastructure  Protection 

Plan.  Specifically,  it  makes  a series  of  recommendations  that 
build  upon  the  conclusions  of  President  Obama's  Cyberspace 
Policy  Review. 

January  22  From  the  report:  “We  thought  then  [in  2008]  that  securing 

201  I cyberspace  had  become  a critical  challenge  for  national 

security,  which  our  nation  was  not  prepared  to  meet....  In 
our  view,  we  are  still  not  prepared.” 

September  70  Discusses  computer  system  security  and  privacy,  their 

21,  2010  relationship  to  usability,  and  research  at  their  intersection. 

This  is  drawn  from  remarks  made  at  the  National  Research 
Council’s  July  2009  Workshop  on  Usability,  Security  and 
Privacy  of  Computer  Systems  as  well  as  recent  reports  from 
the  NRCs  Computer  Science  and  Telecommunications 
Board  on  security  and  privacy. 

September  37  The  two-day  workshop  brought  together  more  than  two 

1 5,  2009  dozen  experts  with  diverse  backgrounds:  physicists; 

telecommunications  executives;  Silicon  Valley 
entrepreneurs;  federal  law  enforcement,  military,  homeland 
security,  and  intelligence  officials;  congressional  staffers;  and 
civil  liberties  advocates.  For  two  days  they  engaged  in  an 
open-ended  discussion  of  cyber  policy  as  it  relates  to 
national  security,  under  Chatham  House  Rules  - their 
comments  were  for  the  public  record,  but  they  were  not 
for  attribution. 
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Table  1 2.  Selected  Government  Reports:  Government  Accountability  Office  (GAO) 


Title 

Date 

Pages 

Notes 

Cybersecurity:  Challenges  to  Securing  the  Modernized 
Electricity  Grid 

http://www.csit.qub.ac.uk/media/pdf/ 

Filetoupload,252359,en.pdf 

February  28,  2012 

19 

As  GAO  reported  in  January  2011,  securing  smart  grid  systems  and  networks 
presented  a number  of  key  challenges  that  required  attention  by  government 
and  industry.  GAO  made  several  recommendations  to  the  Federal  Energy 
Regulatory  Commission  (FERC)  aimed  at  addressing  these  challenges.  The 
commission  agreed  with  these  recommendations  and  described  steps  it  is 
taking  to  implement  them. 

Critical  Infrastructure  Protection:  Cybersecurity  Guidance 
Is  Available,  but  More  Can  Be  Done  to  Promote  Its  Use 

http://www.gao.gov/products/GAO- 1 2-92 

December  9,  20 1 1 

77 

Given  the  plethora  of  guidance  available,  individual  entities  within  the  sectors 
may  be  challenged  in  identifying  the  guidance  that  is  most  applicable  and 
effective  in  improving  their  security  posture.  Improved  knowledge  of  the 
guidance  that  is  available  could  help  both  federal  and  private  sector  decision 
makers  better  coordinate  their  efforts  to  protect  critical  cyber-reliant  assets. 

Cybersecurity  Human  Capital:  Initiatives  Need  Better 
Planning  and  Coordination,  at:  http://www.gao.gov/ 
products/GAO- 1 2-8 

November  29,  20 1 1 

86 

All  the  agencies  GAO  reviewed  faced  challenges  determining  the  size  of  their 
cybersecurity  workforce  because  of  variations  in  how  work  is  defined  and  the 
lack  of  an  occupational  series  specific  to  cybersecurity.  With  respect  to  other 
workforce  planning  practices,  all  agencies  had  defined  roles  and  responsibilities 
for  their  cybersecurity  workforce,  but  these  roles  did  not  always  align  with 
guidelines  issued  by  the  federal  Chief  Information  Officers  Council  and  National 
1 nstitute  of  Standards  and  Technology  (Nl ST) 

Federal  Chief  Information  Officers:  Opportunities  Exist  to 
Improve  Role  in  Information  Technology  Management 

http://www.gao.gov/products/GAO- 1 1 -634 

October  17,  201  1 

72 

GAO  is  recommending  that  OMB  update  its  guidance  to  establish  measures  of 
accountability  for  ensuring  that  CIOs'  responsibilities  are  fully  implemented 
and  require  agencies  to  establish  internal  processes  for  documenting  lessons 
learned. 

Information  Security:  Additional  Guidance  Needed  to 
Address  Cloud  Computing  Concerns 

http://www.gao.gov/products/GAO- 1 2- 1 30T 

October  5,  201  1 

17 

Twenty-two  of  24  major  federal  agencies  reported  that  they  were  either 
concerned  or  very  concerned  about  the  potential  information  security  risks 
associated  with  cloud  computing.  GAO  recommended  that  the  NIST  issue 
guidance  specific  to  cloud  computing  security. 

Information  Security:  Weaknesses  Continue  Amid  New 
Federal  Efforts  to  Implement  Requirements 

http://www.gao.gov/products/GAO- 12-137 

October  3,  20 1 1 

49 

Weaknesses  in  information  security  policies  and  practices  at  24  major  federal 
agencies  continue  to  place  the  confidentiality,  integrity,  and  availability  of 
sensitive  information  and  information  systems  at  risk.  Consistent  with  this 
risk,  reports  of  security  incidents  from  federal  agencies  are  on  the  rise, 
increasing  over  650%  over  the  past  5 years.  Each  of  the  24  agencies  reviewed 
had  weaknesses  in  information  security  controls. 

Federal  Chief  Information  Officers:  Opportunities  Exist  to 
Improve  Role  in  Information  Technology  Management 

http://www.gao.gov/products/GAO- 1 1 -634 

October  17,  201  1 

72 

GAO  is  recommending  that  the  Office  of  Management  and  Budget  (OMB) 
update  its  guidance  to  establish  measures  of  accountability  for  ensuring  that 
CIOs'  responsibilities  are  fully  implemented  and  require  agencies  to  establish 
internal  processes  for  documenting  lessons  learned. 
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Pages 
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Defense  Department  Cyber  Efforts:  Definitions,  Focal 
Point,  and  Methodology  Needed  for  DoD  to  Develop  Full- 
Spectrum  Cyberspace  Budget  Estimates 

http://www.gao.gov/products/GAO- 1 1 -695R 

July  29,  201  1 

33 

This  letter  discusses  the  Department  of  Defense's  cyber  and  information 
assurance  budget  for  fiscal  year  20 1 2 and  future  years  defense  spending.  The 
objectives  of  this  review  were  to  (1)  assess  the  extent  to  which  DoD  has 
prepared  an  overarching  budget  estimate  for  full-spectrum  cyberspace 
operations  across  the  department;  and  (2)  identify  the  challenges  DoD  has 
faced  in  providing  such  estimates. 

Continued  Attention  Needed  to  Protect  Our  Nation’s 
Critical  Infrastructure 

http://www.gao.gov/products/GAO- 1 1 -463T 

July  26,  201  1 

20 

A number  of  significant  challenges  remain  to  enhancing  the  security  of  cyber- 
reliant  critical  infrastructures,  such  as  (1)  implementing  actions  recommended 
by  the  president's  cybersecurity  policy  review;  (2)  updating  the  national 
strategy  for  securing  the  information  and  communications  infrastructure;  (3) 
reassessing  DHS's  planning  approach  to  critical  infrastructure  protection;  (4) 
strengthening  public-private  partnerships,  particularly  for  information  sharing; 
(5)  enhancing  the  national  capability  for  cyber  warning  and  analysis;  (6) 
addressing  global  aspects  of  cybersecurity  and  governance;  and  (7)securing  the 
modernized  electricity  grid. 

Defense  Department  Cyber  Efforts:  DoD  Faces  Challenges 
in  Its  Cyber  Activities 

http://www.gao.gov/products/GAO- 1 1 -75 

July  25,  201  1 

79 

GAO  recommends  that  DoD:  evaluate  how  it  is  organized  to  address 
cybersecurity  threats;  assess  the  extent  to  which  it  has  developed  joint 
doctrine  that  addresses  cyberspace  operations;  examine  how  it  assigned 
command  and  control  responsibilities;  and  determine  how  it  identifies  and  acts 
to  mitigate  key  capability  gaps  involving  cyberspace  operations. 

Critical  Infrastructure  Protection:  Key  Private  and  Public 
Cyber  Expectations  Need  to  Be  Consistently  Addressed 

http://www.gao.gov/products/GAO- 1 0-628 

August  1 6,  20 1 0 

38 

The  Special  Assistant  to  the  President  and  Cybersecurity  Coordinator  and  the 
Secretary  of  Homeland  Security,  should  take  two  actions:  (1)  use  the  results 
of  this  report  to  focus  their  information-sharing  efforts,  including  their 
relevant  pilot  projects,  on  the  most  desired  services,  including  providing  timely 
and  actionable  threat  and  alert  information,  access  to  sensitive  or  classified 
information,  a secure  mechanism  for  sharing  information,  and  providing 
security  clearance  and  (2)  bolster  the  efforts  to  build  out  the  National 
Cybersecurity  and  Communications  Integration  Center  as  the  central  focal 
point  for  leveraging  and  integrating  the  capabilities  of  the  private  sector, 
civilian  government,  law  enforcement,  the  military,  and  the  intelligence 
community. 

Information  Security:  State  Has  Taken  Steps  to  Implement 
a Continuous  Monitoring  Application,  but  Key  Challenges 
Remain 

http://www.gao.gov/products/GAO- 1 1-149 

July  8,2011 

63 

The  Department  of  State  implemented  a custom  application  called  iPost  and  a 
risk  scoring  program  that  is  intended  to  provide  continuous  monitoring 
capabilities  of  information  security  risk  to  elements  of  its  information 
technology  (IT)  infrastructure.  To  improve  implementation  of  iPost  at  State, 
the  Secretary  of  State  should  direct  the  Chief  Information  Officer  to  develop, 

document,  and  maintain  an  iPost  configuration  management  and  test  process. 
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Cybersecurity:  Continued  Attention  Needed  to  Protect  March  16,  201  I 
Our  Nation's  Critical  Infrastructure  and  Federal 
Information  Systems 

http://www.gao.gov/products/GAO- 1 I -463T 


Electricity  Grid  Modernization:  Progress  Being  Made  on  January  12,  201  I 
Cybersecurity  Guidelines,  but  Key  Challenges  Remain  to 
be  Addressed 

http://www.gao.gov/products/GAO-l  l-l  17 


Information  Security:  Federal  Agencies  Have  Taken  Steps  November  30,  2010 
to  Secure  Wireless  Networks,  but  Further  Actions  Can 
Mitigate  Risk 

http://www.gao.gov/products/GAO- 1 I -43 

Cyberspace  Policy:  Executive  Branch  Is  Making  Progress  October  6,  2010 
Implementing  2009  Policy  Review  Recommendations,  but 
Sustained  Leadership  Is  Needed 

http://www.gao.gov/products/GAO- 1 I -24 

DHS  Efforts  to  Assess  and  Promote  Resiliency  Are  September  23,  2010 

Evolving  but  Program  Management  Could  Be  Strengthened 

http://www.gao.gov/products/GAO- 1 0-772 


Information  Security:  Progress  Made  on  Harmonizing  Policies  September  15,  2010 
and  Guidance  for  National  Security  and  Non-National 
Security  Systems 

http://www.gao.gov/products/GAO- 1 0-9 1 6 
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1 6 Executive  branch  agencies  have  made  progress  instituting  several 

governmentwide  initiatives  that  are  aimed  at  bolstering  aspects  of  federal 
cybersecurity,  such  as  reducing  the  number  of  federal  access  points  to  the 
Internet,  establishing  security  configurations  for  desktop  computers,  and 
enhancing  situational  awareness  of  cyber  events.  Despite  these  efforts,  the 
federal  government  continues  to  face  significant  challenges  in  protecting  the 
nation's  cyber-reliant  critical  infrastructure  and  federal  information  systems. 

50  GAO  identified  the  following  six  key  challenges:  (I)  Aspects  of  the  regulatory 
environment  may  make  it  difficult  to  ensure  smart  grid  systems'  cybersecurity. 
(2)  Utilities  are  focusing  on  regulatory  compliance  instead  of  comprehensive 
security.  (3)  The  electric  industry  does  not  have  an  effective  mechanism  for 
sharing  information  on  cybersecurity.  (4)  Consumers  are  not  adequately 
informed  about  the  benefits,  costs,  and  risks  associated  with  smart  grid 
systems.  (5)  There  is  a lack  of  security  features  being  built  into  certain  smart 
grid  systems.  (6)  The  electricity  industry  does  not  have  metrics  for  evaluating 
cybersecurity. 

50  Existing  governmentwide  guidelines  and  oversight  efforts  do  not  fully  address 

agency  implementation  of  leading  wireless  security  practices.  Until  agencies  take 
steps  to  better  implement  these  leading  practices,  and  OMB  takes  steps  to 
improve  governmentwide  oversight,  wireless  networks  will  remain  at  an 
increased  vulnerability  to  attack. 

66  Of  the  24  recommendations  in  the  President's  May  2009  cyber  policy  review 
report,  2 have  been  fully  implemented,  and  22  have  been  partially 
implemented.  While  these  efforts  appear  to  be  steps  forward,  agencies  were 
largely  not  able  to  provide  milestones  and  plans  that  showed  when  and  how 
implementation  of  the  recommendations  was  to  occur. 

46  The  Department  of  Homeland  Security  (DHS)  has  not  developed  an  effective  way 
to  ensure  that  critical  national  infrastructure,  such  as  electrical  grids  and 
telecommunications  networks,  can  bounce  back  from  a disaster.  DHS  has 
conducted  surveys  and  vulnerability  assessments  of  critical  infrastructure  to 
identify  gaps,  but  has  not  developed  a way  to  measure  whether  owners  and 
operators  of  that  infrastructure  adopt  measures  to  reduce  risks. 

38  OMB  and  Nl  ST  established  policies  and  guidance  for  civilian  non-national  security 
systems,  while  other  organizations,  including  the  Committee  on  National  Security 
Systems  (CNSS),  DoD,  and  the  U.S.  intelligence  community,  have  developed 
policies  and  guidance  for  national  security  systems.  GAO  was  asked  to  assess  the 
progress  of  federal  efforts  to  harmonize  policies  and  guidance  for  these  two 
types  of  systems 
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United  States  Faces  Challenges  in  Addressing  Global 
Cybersecurity  and  Governance 

http://www.gao.gov/products/GAO- 1 0-606 

August  2,  20 1 0 

53 

GAO  recommends  that  the  Special  Assistant  to  the  President  and 
Cybersecurity  Coordinator  should  make  recommendations  to  appropriate 
agencies  and  interagency  coordination  committees  regarding  any  necessary 
changes  to  more  effectively  coordinate  and  forge  a coherent  national 
approach  to  cyberspace  policy. 

Federal  Guidance  Needed  to  Address  Control  Issues  With 
Implementing  Cloud  Computing 

http://www.gao.gov/products/GAO- 1 0-5 1 3 

July  1,  2010 

53 

To  assist  federal  agencies  in  identifying  uses  for  cloud  computing  and 
information  security  measures  to  use  in  implementing  cloud  computing,  the 
Director  of  OMB  should  establish  milestones  for  completing  a strategy  for 
implementing  the  federal  cloud  computing  initiative. 

Continued  Attention  Is  Needed  to  Protect  Federal 
Information  Systems  from  Evolving  Threats 

http://www.gao.gov/products/GAO- 1 0-834t 

June  16,  2010 

15 

Multiple  opportunities  exist  to  improve  federal  cybersecurity.  To  address 
identified  deficiencies  in  agencies'  security  controls  and  shortfalls  in  their 
information  security  programs,  GAO  and  agency  inspectors  general  have 
made  hundreds  of  recommendations  over  the  past  several  years,  many  of 
which  agencies  are  implementing.  In  addition,  the  White  House,  the  Office  of 
Management  and  Budget,  and  certain  federal  agencies  have  undertaken  several 
governmentwide  initiatives  intended  to  enhance  information  security  at  federal 
agencies.  While  progress  has  been  made  on  these  initiatives,  they  all  face 
challenges  that  require  sustained  attention,  and  GAO  has  made  several 
recommendations  for  improving  the  implementation  and  effectiveness  of  these 
initiatives. 

Information  Security:  Concerted  Response  Needed  to 
Resolve  Persistent  Weaknesses,  at:  http://www.gao.gov/ 
products/GAO- 1 0-536t 

March  24,  2010 

21 

Without  proper  safeguards,  federal  computer  systems  are  vulnerable  to 
intrusions  by  individuals  who  have  malicious  intentions  and  can  obtain  sensitive 
information.  The  need  for  a vigilant  approach  to  information  security  has  been 
demonstrated  by  the  pervasive  and  sustained  cyber  attacks  against  the  United 
States:  these  attacks  continue  to  pose  a potentially  devastating  impact  to 
systems  as  well  as  the  operations  and  critical  infrastructures  that  they  support. 

Cybersecurity:  Continued  Attention  Is  Needed  to  Protect 
Federal  Information  Systems  from  Evolving  Threats 

http://www.gao.gov/products/GAO- 1 1 -463T 

March  16,  2010 

15 

The  White  House,  the  Office  of  Management  and  Budget,  and  certain  federal 
agencies  have  undertaken  several  governmentwide  initiatives  intended  to 
enhance  information  security  at  federal  agencies.  While  progress  has  been  made 
on  these  initiatives,  they  all  face  challenges  that  require  sustained  attention,  and 

GAO  has  made  several  recommendations  for  improving  the  implementation  and 
effectiveness  of  these  initiatives. 


CRS-24 


Cybersecurity:  Authoritative  Reports  and  Resources 


Title 

Date 

Pages 

Notes 

Concerted  Effort  Needed  to  Consolidate  and  Secure 
Internet  Connections  at  Federal  Agencies 

http://www.gao.gov/products/GAO- 1 0-237 

April  12,  2010 

40 

To  reduce  the  threat  to  federal  systems  and  operations  posed  by  cyber 
attacks  on  the  US.,  OMB  launched,  in  November  2007,  the  Trusted  Internet 
Connections  (TIC)  initiative,  and  later,  in  2008,  the  Department  of  Homeland 
Security’s  (DHS)  National  Cybersecurity  Protection  System  (NCPS), 
operationally  known  as  Einstein,  which  became  mandatory  for  federal  agencies 
as  part  of  TIC.  In  order  to  further  ensure  that  federal  agencies  have  adequate, 
sufficient,  and  timely  information  to  successfully  meet  the  goals  and  objectives 
of  the  TIC  and  Einstein  programs,  the  Secretary  of  Homeland  Security  should, 
to  better  understand  whether  Einstein  alerts  are  valid,  develop  additional 
performance  measures  that  indicate  how  agencies  respond  to  alerts. 

Cybersecurity:  Progress  Made  But  Challenges  Remain  in 
Defining  and  Coordinating  the  Comprehensive  National 
Initiative 

http://www.gao.gov/products/GAO- 1 0-338 

March  5,  2010 

64 

To  address  strategic  challenges  in  areas  that  are  not  the  subject  of  existing 
projects  within  CNCI  but  remain  key  to  achieving  the  initiative’s  overall  goal 
of  securing  federal  information  systems,  the  Director  of  OMB  should  continue 
development  of  a strategic  approach  to  identity  management  and 
authentication,  linked  to  HSPD-12  implementation,  as  initially  described  in  the 
Chief  Information  Officers  Council's  plan  for  implementing  federal  identity, 
credential,  and  access  management,  so  as  to  provide  greater  assurance  that 
only  authorized  individuals  and  entities  can  gain  access  to  federal  information 
systems. 

Continued  Efforts  Are  Needed  to  Protect  Information 
Systems  from  Evolving  Threats 

http://www.gao.gov/products/GAO- 1 0-230t 

November  1 7,  2009 

24 

GAO  has  identified  weaknesses  in  all  major  categories  of  information  security 
controls  at  federal  agencies.  For  example,  in  fiscal  year  2008,  weaknesses  were 
reported  in  such  controls  at  23  of  24  major  agencies.  Specifically,  agencies  did 
not  consistently  authenticate  users  to  prevent  unauthorized  access  to  systems; 
apply  encryption  to  protect  sensitive  data;  and  log,  audit,  and  monitor 
security-relevant  events,  among  other  actions. 

Efforts  to  Improve  Information  sharing  Need  to  Be 
Strengthened 

http://www.gao.gov/products/GAO-03-760 

August  27,  2003 

59 

1 nformation  on  threats,  methods,  and  techniques  of  terrorists  is  not  routinely 
shared;  and  the  information  that  is  shared  is  not  perceived  as  timely,  accurate, 
or  relevant. 

Source:  GAO. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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T rustworthy  Cyberspace:  Strategic  Plan  for  the  Federal 
Cybersecurity  Research  and  Development  Program 

http://www.whitehouse.gov/sites/default/files/microsites/ostp/ 
fed_cybersecurity_rd_strategic_plan_20 1 1 .pdf 

December  6, 
201  1 

36 

As  a research  and  development  strategy,  this  plan  defines  four  strategic 
thrusts:  Inducing  Change;  Developing  Scientific  Foundations;  Maximizing 
Research  Impact;  and  Accelerating  Transition  to  Practice. 

Structural  Reforms  to  Improve  the  Security  of  Classified 
Networks  and  the  Responsible  Sharing  and  Safeguarding  of 
Classified  Information 

http://www.whitehouse.gov/the-press-office/20 1 1/10/07/ 

executive-order-structural-reforms-improve-security-classified- 

networks- 

October  7,  201  1 

N/A 

President  Obama  signed  an  executive  order  outlining  data  security 
measures  and  rules  for  government  agencies  to  follow  to  prevent  further 
data  leaks  by  insiders...  The  order  included  the  creation  of  a senior  steering 
committee  that  will  oversee  the  safeguarding  and  sharing  of  information. 

FY  2012  Reporting  Instructions  for  the  Federal  Information 
Security  Management  Act  and  Agency  Privacy  Management3 

http://www.whitehouse.gov/sites/default/files/omb/memoranda/ 
201  1 /ml  l-33.pdf 

September  14, 
201  1 

29 

Rather  than  enforcing  a static,  three-year  reauthorization  process,  agencies 
are  expected  to  conduct  ongoing  authorizations  of  information  systems 
through  the  implementation  of  continuous  monitoring  programs. 
Continuous  monitoring  programs  thus  fulfill  the  three  year  security 
reauthorization  requirement,  so  a separate  re-authorization  process  is  not 
necessary. 

International  Strategy  for  Cyberspace 

http://www.whitehouse.gov/sites/default/files/rss_viewer/ 

international_strategy_for_cyberspace.pdf 

May  16,  201  1 

30 

The  strategy  marks  the  first  time  any  administration  has  attempted  to  set 
forth  in  one  document  the  U.S.  government’s  vision  for  cyberspace, 
including  goals  for  defense,  diplomacy  and  international  development. 

Cybersecurity  Legislative  Proposal  (Fact  Sheet) 

http://www.whitehouse.gov/the-press-office/20 1 1 / 05/ 1 2/ 
fact-sheet-cybersecurity-legislative-proposal 

May  12,  201  1 

N/A 

The  Administration's  proposal  ensures  the  protection  of  individuals' 
privacy  and  civil  liberties  through  a framework  designed  expressly  to 
address  the  challenges  of  cybersecurity.  The  Administration's  legislative 
proposal  includes;  Management,  Personnel,  Intrusion  Prevention  Systems, 
and  Data  Centers. 

Federal  Cloud  Computing  Strategy 

http://www.cio.gov/documents/Federal-Cloud-Computing- 

Strategy.pdf 

February  1 3, 
201  1 

43 

The  strategy  outlines  how  the  federal  government  can  accelerate  the  safe, 
secure  adoption  of  cloud  computing,  and  provides  agencies  with  a 
framework  for  migrating  to  the  cloud.  It  also  examines  how  agencies  can 
address  challenges  related  to  the  adoption  of  cloud  computing,  such  as 
privacy,  procurement,  standards,  and  governance. 

25  Point  Implementation  Plan  to  Reform  Federal  Information 
Technology  Management 

http://www.cio.gov/documents/25-Point-lmplementation-Plan-to- 

Reform-Federal%20IT.pdf 

December  9, 
2010 

40 

The  plan’s  goals  are  to  reduce  the  number  of  federally  run  data  centers 
from  2,100  to  approximately  1,300,  rectify  or  cancel  one-third  of  troubled 
IT  projects,  and  require  federal  agencies  to  adopt  a “cloud  first”  strategy  in 
which  they  will  move  at  least  one  system  to  a hosted  environment  within  a 
year. 
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Clarifying  Cybersecurity  Responsibilities 

http://www.whitehouse.gov/sites/default/files/omb/assets/ 
memoranda_20 1 0/m  1 0-28.pdf 

July  6,2010 

39 

This  memorandum  outlines  and  clarifies  the  respective  responsibilities  and 
activities  of  the  Office  of  Management  and  Budget  (OMB),  the 
Cybersecurity  Coordinator,  and  DHS,  in  particular  with  respect  to  the 
Federal  Government's  implementation  of  the  Federal  Information  Security 
Management  Act  of  2002  (FISMA). 

The  National  Strategy  for  Trusted  Identities  in  Cyberspace: 
Creating  Options  for  Enhanced  Online  Security  and  Privacy 

http://www.dhs.gov/xlibrary/assets/ns_tic.pdf 

June  25,  2010 

39 

The  NSTIC,  which  is  in  response  to  one  of  the  near  term  action  items  in 
the  President's  Cyberspace  Policy  Review,  calls  for  the  creation  of  an 
online  environment,  or  an  Identity  Ecosystem,  where  individuals  and 
organizations  can  complete  online  transactions  with  confidence,  trusting 
the  identities  of  each  other  and  the  identities  of  the  infrastructure  where 
transaction  occur. 

Comprehensive  National  Cybersecurity  Initiative  (CNCI) 

http://www.whitehouse.gov/cybersecurity/comprehensive- 

national-cybersecurity-initiative 

March  2,  2010 

5 

The  CNCI  establishes  a multi-pronged  approach  the  federal  government  is 
to  take  in  identifying  current  and  emerging  cyber  threats,  shoring  up 
current  and  future  telecommunications  and  cyber  vulnerabilities,  and 
responding  to  or  proactively  addressing  entities  that  wish  to  steal  or 
manipulate  protected  data  on  secure  federal  systems. 

Cyberspace  Policy  Review:  Assuring  a Trusted  and  Resilient 
Communications  Infrastructure 

http://www.whitehouse.gov/assets/documents/ 

Cyberspace_Policy_Review_final.pdf 

May  29,  2009 

76 

The  President  directed  a 60-day,  comprehensive,  “clean-slate”  review  to 
assess  U.S.  policies  and  structures  for  cybersecurity.  The  review  team  of 
government  cybersecurity  experts  engaged  and  received  input  from  a 
broad  cross-section  of  industry,  academia,  the  civil  liberties  and  privacy 
communities,  state  governments,  international  partners,  and  the  Legislative 
and  Executive  Branches.  This  paper  summarizes  the  review  team’s 
conclusions  and  outlines  the  beginning  of  the  way  forward  toward  a 
reliable,  resilient,  trustworthy  digital  infrastructure  for  the  future. 

Source:  Highlights  compiled  by  CRS  from  the  White  House  reports, 
a.  White  House  and  Office  of  Management  and  Budget. 
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DOD  Information  Security  Program:  Overview,  Classification, 
and  Declassification 

http://www.fas.org/sgp/othergov/dod/5200_0 1 v 1 .pdf 

DOD 

February  16, 
2012 

84 

Describes  the  DOD  Information  Security  Program,  and 
provides  guidance  for  classification  and  declassification  of 
DOD  information  that  requires  protection  in  the 
interest  of  the  national  security. 

Defense  Department  Cyber  Efforts:  Definitions,  Focal  Point, 
and  Methodology  Needed  for  DOD  to  Develop  Full-Spectrum 
Cyberspace  Budget  Estimates 

http://www.gao.gov/products/GAO- 1 1 -695R 

General 
Accountability 
Office  (GAO) 

July  29,  201  1 

33 

This  letter  discusses  DOD’s  cyber  and  information 
assurance  budget  for  fiscal  year  2012  and  future  years 
defense  spending.  The  objectives  of  this  review  were  to 
(1)  assess  the  extent  to  which  DOD  has  prepared  an 
overarching  budget  estimate  for  full-spectrum  cyberspace 
operations  across  the  department;  and  (2)  identify  the 
challenges  DOD  has  faced  in  providing  such  estimates. 

Legal  Reviews  of  Weapons  and  Cyber  Capabilities 

http://www.e-publishing.af.mil/shared/media/epubs/AFI5 1 - 
402.pdf 

Secretary  of  the  Air 
Force 

July  27,  201  1 

7 

States  the  Air  Force  must  subject  cyber  capabilities  to 
legal  review  for  compliance  with  the  Law  of  Armed 
Conflict  and  other  international  and  domestic  laws.  The 
Air  Force  judge  advocate  general  must  ensure  that  all 
cyber  capabilities  “being  developed,  bought,  built, 
modified  or  otherwise  acquired  by  the  Air  Force"  must 
undergo  legal  review — except  for  cyber  capabilities 
within  a Special  Access  Program,  which  must  undergo 
review  by  the  Air  Force  general  counsel. 

Department  of  Defense  Strategy  for  Operating  in  Cyberspace 

DOD 

July  14,  201  1 

19 

This  is  an  unclassified  summary  of  DOD's  cyber-security 

http://www.defense.gov/news/d20 1 1 07 1 4cyber.pdf 

strategy. 

Cyber  Operations  Personnel  Report  (DOD) 

http://www.nsci-va.org/CyberReferenceLib/20 1 1 -04- 
Cyber%200ps%20Personnel.pdf 

DOD 

April,  201  1 

84 

This  report  focuses  on  FY09  Department  of  Defense 
Cyber  Operations  personnel,  with  duties  and 
responsibilities  as  defined  in  Section  934  of  the  Fiscal 
Year  2010  National  Defense  Authorization  Act  (NDAA). 

Appendix  A - Cyber  Operations-related  Military 
Occupations 

Appendix  B - Commercial  Certifications  Supporting  the 
DOD  Information  Assurance  Workforce  Improvement 
Program 

Appendix  C - Military  Services  Training  and 
Development 

Appendix  D - Geographic  Location  of  National  Centers 
of  Academic  Excellence  in  Information  Assurance 
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Critical  Code:  Software  Producibility  for  Defense 
http://www.nap.edu/catalog.php?record_id=  1 2979 

National  Research 

Council, 

Committee  for 

Advancing 

Software-Intensive 

Systems 

Producibility 

October  20, 
2010 

161 

Assesses  the  nature  of  the  national  investment  in 
software  research  and,  in  particular,  considers  ways  to 
revitalize  the  knowledge  base  needed  to  design,  produce, 
and  employ  software-intensive  systems  for  tomorrow's 
defense  needs. 

Defending  a New  Domain 

http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/ 

defending-a-new-domain 

U.S.  Deputy 
Secretary  of 
Defense,  William  J. 
Lynn  (Foreign 
Affairs) 

September 

2010 

N/A 

In  2008,  the  U.S.  Department  of  Defense  suffered  a 
significant  compromise  of  its  classified  military  computer 
networks.  It  began  when  an  infected  flash  drive  was 
inserted  into  a U.S.  military  laptop  at  a base  in  the  Middle 
East.  This  previously  classified  incident  was  the  most 
significant  breach  of  U.S.  military  computers  ever,  and 
served  as  an  important  wake-up  call 

The  QDR  in  Perspective:  Meeting  America’s  National  Security 
Needs  In  the  21st  Century  (QDR  Final  Report) 

http://www.usip.org/quadrennial-defense-review-independent- 

panel-/view-the-report 

Quadrennial 
Defense  Review 

July  30,  2010 

159 

From  the  report:  “The  expanding  cyber  mission  also 
needs  to  be  examined.  The  Department  of  Defense 
should  be  prepared  to  assist  civil  authorities  in  defending 
cyberspace  - beyond  the  Department’s  current  role." 

Cyberspace  Operations:  Air  Force  Doctrine  Document  3-12 
http://www.e-publishing.af.mil/shared/media/epubs/afdd3- 1 2.pdf 

U.S.  Air  Force 

July  15,  2010 

62 

This  Air  Force  Doctrine  Document  (AFDD)  establishes 
doctrinal  guidance  for  the  employment  of  U.S.  Air  Force 
forces  in,  through,  and  from  cyberspace.  It  is  the 
keystone  of  Air  Force  operational-level  doctrine  for 
cyberspace  operations. 

DON  (Department  of  the  Navy)  Cybersecurity/Information 
Assurance  Workforce  Management,  Oversight  and  Compliance 

http://www.doncio.navy.mil/PolicyView.aspx?ID=  1 804 

U.S.  Navy 

June  17,2010 

14 

To  establish  policy  and  assign  responsibilities  for  the 
administration  of  the  Department  of  the  Navy  (DON) 
Cybersecurity  (CS)/lnformation  Assurance  Workforce 
(IAWF)  Management  Oversight  and  Compliance 
Program. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Recommendations  for  Establishing  an  Identity  Ecosystem 
Governance  Structure  for  the  National  Strategy  for  Trusted 
Identities  in  Cyberspace 

NIST 

February  17, 
2012 

51 

NIST  responds  to  comments  received  in  response  to 
the  related  Notice  of  Inquiry  published  in  the  Federal 
Register  on  June  1 4,  20 1 1 

http://www.nist.gov/nstic/20 1 2-nstic-governance-recs.pdf 

Models  for  a Governance  Structure  for  the  National  Strategy  for 
Trusted  Identities  in  Cyberspace 

http://www.nist.gov/nstic/20 1 2-nstic-governance-recs.pdf 

Department  of 
Commerce 

June  14,  201  1 

4 

The  Department  seeks  public  comment  from  all 
stakeholders,  including  the  commercial,  academic  and 
civil  society  sectors,  and  consumer  and  privacy 
advocates  on  potential  models,  in  the  form  of 
recommendations  and  key  assumptions  in  the 
formation  and  structure  of  the  steering  group. 

Administration  Releases  Strategy  to  Protect  Online  Consumers 
and  Support  Innovation  and  Fact  Sheet  on  National  Strategy  for 
Trusted  Identities  in  Cyberspace 

http://www.whitehouse.gov/the-press-office/20 1 1 1041 1 5/ 

administration-releases-strategy-protect-online-consumers-and- 

support-in 

White  House 

April  15,  201  1 

52 

Press  release  on  a proposal  to  administer  the 
processes  for  policy  and  standards  adoption  for  the 
Identity  Ecosystem  Framework  in  accordance  with 
the  National  Strategy  for  Trusted  Identities  in 
Cyberspace  (NSTIC). 

National  Strategy  for  Trusted  Identities  in  Cyberspace 

http://www.whitehouse.gov/blog/20 1 0/06/25/national-strategy-trust 
cyberspace 

White  House 

April  15,  201  1 

52 

The  NSTIC  aims  to  make  online  transactions  more 
trustworthy,  thereby  giving  businesses  and  consumers 
more  confidence  in  conducting  business  online. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Global  Cloud  Computing  Scorecard  a Blueprint  for 
Economic  Opportunity 

http://portal.bsa.org/cloudscorecard20 1 2/ 

Business  Software 
Alliance 

February  2,  20 1 2 

24 

This  report  notes  that  while  many  developed  countries 
have  adjusted  their  laws  and  regulations  to  address  cloud 
computing,  the  wide  differences  in  those  rules  make  it 
difficult  for  companies  to  invest  in  the  technology. 

Concept  of  Operations:  FedRAMP 

http://www.gsa.gov/graphics/staffoffices/ 

FedRAMP_CONOPS.pdf 

General  Services 
Administration  (GSA) 

February  7,  20 1 2 

47 

Implementation  of  FedRAMP  will  be  in  phases.  This 
document  describes  all  the  services  that  will  be  available  at 
initial  operating  capability  - targeted  for  June  20 1 2.  The 
Concept  of  Operations  will  be  updated  as  the  program 
evolves  toward  sustained  operations. 

Federal  Risk  and  Authorization  Management  Program 
(FedRAMP) 

http://www.gsa.gov/portal/category/ 1 0237 1 

Federal  CIO  Council 

January  4,  20 1 2 

N/A 

The  Federal  Risk  and  Authorization  Management  Program 
or  FedRAMP  has  been  established  to  provide  a standard 
approach  to  Assessing  and  Authorizing  (A&A)  cloud 
computing  services  and  products. 

Security  Authorization  of  1 nformation  Systems  in  Cloud 
Computing  Environments  (FedFtAMP) 

http://www.cio.gov/fedrampmemo.pdf 

White  House/ Office  of 
Management  and 
Budget  (OMB) 

December  8,  20 1 1 

7 

The  Federal  Risk  and  Authorization  Management  Program 
(FedRAMP)  will  now  be  required  for  all  agencies  purchasing 
storage,  applications  and  other  remote  services  from 
vendors.  The  Obama  administration  has  championed  cloud 
computing  as  a means  to  save  money  and  accelerate  the 
government's  adoption  of  new  technologies. 

U.S.  Government  Cloud  Computing  Technology 
Roadmap,  Volume  1,  Release  1.0  (Draft).  High-Priority 
Requirements  to  Further  USG  Agency  Cloud  Computing 
Adoption 

http://www.nist.gov/itl/cloud/upload/ 

SP_500_293_volumel-2.pdf 

NIST 

December  1 , 20 1 1 

32 

Volume  1 is  aimed  at  interested  parties  who  wish  to  gain  a 
general  understanding  and  overview  of  the  background, 
purpose,  context,  work,  results,  and  next  steps  of  the  U.S. 
Government  Cloud  Computing  Technology  Roadmap 
initiative. 

U.S.  Government  Cloud  Computing  Technology 
Roadmap,  Release  1.0  (Draft),  Volume  II  Useful 
1 nformation  for  Cloud  Adopters 

http://www.nist.gov/itl/cloud/upload/ 

SP_500_293_volumell.pdf 

NIST 

December  1 , 20 1 1 

85 

Volume  II  is  designed  to  be  a technical  reference  for  those 
actively  working  on  strategic  and  tactical  cloud  computing 
initiatives,  including,  but  not  limited  to,  U.S.  government 
cloud  adopters.  Volume  II  integrates  and  summarizes  the 
work  completed  to  date,  and  explains  how  these  findings 
support  the  roadmap  introduced  in  Volume  1. 
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Information  Security:  Additional  Guidance  Needed  to 
Address  Cloud  Computing  Concerns 

http://www.gao.gov/products/GAO- 1 2- 1 30T 

GAO 

October  5,  20 1 1 

17 

Twenty-two  of  24  major  federal  agencies  reported  that 
they  were  either  concerned  or  very  concerned  about  the 
potential  information  security  risks  associated  with  cloud 
computing...  GAO  recommended  that  the  NIST  issue 
guidance  specific  to  cloud  computing  security.  NIST  has 
issued  multiple  publications  which  address  such  guidance; 
however,  one  publication  remains  in  draft,  and  is  not  to  be 
finalized  until  the  first  quarter  of  fiscal  year  2012. 

Cloud  Computing  Reference  Architecture 

http://www.nist.gov/customcf/get  pdf.cfmfpub  id= 
909505 

NIST 

September  1 , 20 1 1 

35 

This  “Special  Publication,"  which  is  not  an  official  U.S. 
government  standard,  is  designed  to  provide  guidance  to 
specific  communities  of  practitioners  and  researchers. 

Guide  to  Cloud  Computing  for  Policy  Makers 

http://www.siia.net/index.php?option=com_docman& 
task=doc_download&gid=3040&ltemid=3  1 8 

Software  and 
1 nformation  1 ndustry 
Association  (SAI 1 ) 

July  26,  201  1 

27 

The  SAI  1 concludes  "that  there  is  no  need  for  cloud-specific 
legislation  or  regulations  to  provide  for  the  safe  and  rapid 
growth  of  cloud  computing,  and  in  fact,  such  actions  could 
impede  the  great  potential  of  cloud  computing." 

Federal  Cloud  Computing  Strategy 

http://www.cio.gov/documents/Federal-Cloud- 

Computing-Strategy.pdf 

White  House 

February  1 3,  20 1 1 

43 

The  strategy  outlines  how  the  Federal  government  can 
accelerate  the  safe,  secure  adoption  of  cloud  computing, 
and  provides  agencies  with  a framework  for  migrating  to 
the  cloud.  It  also  examines  how  agencies  can  address 
challenges  related  to  the  adoption  of  cloud  computing, 
such  as  privacy,  procurement,  standards,  and  governance 

Notes:  These  reports  analyze  cybersecurity  issues  related  to  the  federal  government's  adoption  of  cloud  computing  storage  options.  Highlights  compiled  by  CRS  from  the 
reports. 
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CRS  Reports:  Critical  Infrastructure 

• CRS  Report  RL30153,  Critical  Infrastructures:  Background , Policy,  and 
Implementation,  by  John  D.  Moteff 

• CRS  Report  R41886,  The  Smart  Grid  and  Cybersecurity — Regulatory  Policy  and 
Issues,  by  Richard  J.  Campbell 

• CRS  Report  R42338,  Smart  Meter  Data:  Privacy  and  Cybersecurity,  by  Brandon 
J.  Murrill,  Edward  C.  Liu,  and  Richard  M.  Thompson  II 

• CRS  Report  RL33586,  The  Federal  Networking  and  Information  Technology > 
Research  and  Development  Program:  Background,  Funding,  and  Activities,  by 
Patricia  Moloney  Figliola 

• CRS  Report  97-868,  Internet  Domain  Names:  Background  and  Policy  Issues,  by 
Lennard  G.  Kruger 

• CRS  Report  R4235 1 , Internet  Governance  and  the  Domain  Name  System:  Issues 
for  Congress,  by  Lennard  G.  Kruger 


Congressional  Research  Service 


33 
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Table  1 7.  Selected  Reports:  Critical  Infrastructure 

Title 

Source  Date  Pages 

Notes 

Cybersecurity  for  Energy  Delivery  Systems  Program 

http://energy.gov/oe/technology-development/energy- 

delivery-systems-cybersecurity 


Department  of  ongoing 
Energy,  Office  of 
Electricity 
Delivery  & 

Energy  Reliability 


N/A  The  program  assists  the  energy  sector  asset  owners  (electric, 
oil,  and  gas)  by  developing  cybersecurity  solutions  for  energy 
delivery  systems  through  integrated  planning  and  a focused 
research  and  development  effort.  CEDS  co-funds  projects  with 
industry  partners  to  make  advances  in  cybersecurity  capabilities 
for  energy  delivery  systems. 


ICT  Applications  for  the  Smart  Grid:  Opportunities  and 
Policy  I mplications 

http://www.oecd-ilibrary.org/docserver/download/fulltext/ 
5k9h2q8v9bln.pdf?expires=  1 330527950&id=id&accname::: 
guest&checksum= 

F4470043AC638BE 1 9D5 1 3 I C3D5CE5EA4 


Organization  for 
Economic  Co- 
operation and 
Development 
(OECD) 


January  10,  2012 


44 


This  report  discusses  “smart”  applications  of  information  and 
communication  technologies  (ICTs)  for  more  sustainable  energy 
production,  management  and  consumption.  The  report  outlines 
policy  implications  for  government  ministries  dealing  with 
telecommunications  regulation,  ICT  sector  and  innovation 
promotion,  consumer  and  competition  issues. 


The  Department's  Management  of  the  Smart  Grid 
I nvestment  Grant  Program 

http://energy.gov/ig/downloads/departments-management- 
smart-grid-investment-grant-program-oas-ra- 1 2-04 


Department  of 
Energy  (DOE) 
Inspector 
General 


January  1 , 20 1 2 21 


According  to  the  Inspector  General,  DOE's  rush  to  award 
stimulus  grants  for  projects  under  the  next  generation  of  the 
power  grid,  known  as  the  Smart  grid,  resulted  in  some  firms 
receiving  funds  without  submitting  complete  plans  for  how  to 
safeguard  the  grid  from  cyber  attacks. 


Critical  Infrastructure  Protection:  Cybersecurity 
Guidance  Is  Available,  but  More  Can  Be  Done  to 
Promote  Its  Use 

http://www.gao.gov/products/GAO- 1 2-92 


General  December  9, 

Accountability  201  I 

Office  (GAO) 


77  Given  the  plethora  of  guidance  available,  individual  entities 

within  the  sectors  may  be  challenged  in  identifying  the  guidance 
that  is  most  applicable  and  effective  in  improving  their  security 
posture.  Improved  knowledge  of  the  guidance  that  is  available 
could  help  both  federal  and  private  sector  decision  makers 
better  coordinate  their  efforts  to  protect  critical  cyber-reliant 
assets. 


The  Future  of  the  Electric  Grid 

http://web.mit.edu/mitei/research/studies/the-electric-grid- 
20 1 I .shtml 


Massachusetts 
Institute  of 
Technology  (MIT) 


December  5, 

201  I 


39  Chapter  I provides  an  overview  of  the  status  of  the  grid,  the 
challenges  and  opportunities  it  will  face,  and  major 
recommendations.  To  facilitate  selective  reading,  detailed 
descriptions  of  the  contents  of  each  section  in  Chapters  2-9  are 
provided  in  each  chapter’s  introduction,  and  recommendations 
are  collected  and  briefly  discussed  in  each  chapter's  final  section. 
(See:  Chapter  9,  Data  Communications,  Cybersecurity,  and 
Information  Privacy,  pages  208-234). 
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Title 

Source 

Date 

Pages 

Notes 

FCC's  Plan  for  Ensuring  the  Security  of 
Telecommunications  Networks 

ftp://ftp.fcc.gov/pub/Daily  Releases/Daily  Business/201  1/ 
db06 1 0/DOC-307454A 1 .txt 

Federal 

Communications 

Commission 

(FCC) 

June  3,  201  1 

1 

FCC  Chairman  Genachowski's  response  to  letter  from  Rep. 
Anna  Eshoo  dated  November  2,  2010,  re:  concerns  about  the 
implications  of  foreign-controlled  telecommunications 
infrastructure  companies  providing  equipment  to  the  U.S. 
market. 

Cyber  Infrastructure  Protection 

http://www.strategicstudiesinstitute.army.mil/pubs/ 
display.cfm?pubid=  1 067 

U.S.  Army  War 
College 

May  9,  2011 

324 

Part  1 deals  with  strategy  and  policy  issues  related  to  cyber 
security  and  provides  discussions  covering  the  theory  of 
cyberpower,  Internet  survivability,  large  scale  data  breaches,  and 
the  role  of  cyberpower  in  humanitarian  assistance.  Part  2 covers 
social  and  legal  aspects  of  cyber  infrastructure  protection  and 
discusses  the  attack  dynamics  of  political  and  religiously 
motivated  hackers.  Part  3 discusses  the  technical  aspects  of 
cyber  infrastructure  protection  including  the  resilience  of  data 
centers,  intrusion  detection,  and  a strong  emphasis  on  Internet 
protocol  (IP)  networks. 

In  the  Dark:  Crucial  Industries  Confront  Cyberattacks 

http://www.mcafee.com/us/resources/reports/rp-critical- 

infrastructure-protection.pdf 

McAfee  and 
Center  for 
Strategic  and 
International 
Studies  (CSIS) 

April  21,  201  1 

28 

The  study  reveals  an  increase  in  cyber  attacks  on  critical 
infrastructure  such  as  power  grids,  oil,  gas,  and  water;  the  study 
also  shows  that  that  many  of  the  world's  critical  infrastructures 
lacked  protection  of  their  computer  networks,  and  reveals  the  cost 
and  impact  of  cyberattacks 

Cybersecurity:  Continued  Attention  Needed  to  Protect 
Our  Nation's  Critical  Infrastructure  and  Federal 
Information  Systems 

http://www.gao.gov/products/GAO-l  1 -463T 

General 
Accountability 
Office  (GAO) 

March  16,  201  1 

16 

According  to  GAO,  executive  branch  agencies  have  also  made 
progress  instituting  several  government-wide  initiatives  that  are 
aimed  at  bolstering  aspects  of  federal  cybersecurity,  such  as 
reducing  the  number  of  federal  access  points  to  the  Internet, 
establishing  security  configurations  for  desktop  computers,  and 
enhancing  situational  awareness  of  cyber  events.  Despite  these 
efforts,  the  federal  government  continues  to  face  significant 
challenges  in  protecting  the  nation's  cyber-reliant  critical 
infrastructure  and  federal  information  systems. 
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Federal  Energy  Regulatory  Commission's  Monitoring  of 
Power  Grid  Cyber  Security 

http://www.wired.com/images_blogs/threatlevel/20 1 I /02/ 
DoE-IG-Report-on-Grid-Security.pdf 


North  American 
Electric  Reliability 
Corp.  (NERC) 


Electricity  Grid  Modernization:  Progress  Being  Made  on  General 
Cybersecurity  Guidelines,  but  Key  Challenges  Remain  to  Accountability 
be  Addressed  Office  (GAO) 

http://www.gao.gov/products/GAO-l  l-l  17 


Partnership  for  Cybersecurity  Innovation 

http://www.whitehouse.gov/blog/20 1 0/ 1 2/06/partnership- 
cybersecurity-innovation 


White  House 
(Office  of  Science 
& Technology 
Policy) 


WIB  Security  Standard  Released 
http://www.isssource.com/wib/ 


I nternational 
I nstrument  Users 
Association  (Wl  B) 
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January  26,  2011  30  NERC  developed  Critical  Infrastructure  Protection  (CIP)  cyber 

security  reliability  standards  which  were  approved  by  the  FERC 
in  January  2008.  Although  the  Commission  had  taken  steps  to 
ensure  CIP  cyber  security  standards  were  developed  and 
approved,  NERC’s  testing  revealed  that  such  standards  did  not 
always  include  controls  commonly  recommended  for  protecting 
critical  information  systems.  In  addition,  the  CIP  standards 
implementation  approach  and  schedule  approved  by  the 
Commission  were  not  adequate  to  ensure  that  systems-related 
risks  to  the  nation's  power  grid  were  mitigated  or  addressed  in 
a timely  manner. 

January  12,  201  I 50  To  reduce  the  risk  that  NIST's  smart  grid  cybersecurity 

guidelines  will  not  be  as  effective  as  intended,  the  Secretary  of 
Commerce  should  direct  the  Director  of  NIST  to  finalize  the 
agency's  plan  for  updating  and  maintaining  the  cybersecurity 
guidelines,  including  ensuring  it  incorporates  (I)  missing  key 
elements  identified  in  this  report,  and  (2)  specific  milestones  for 
when  efforts  are  to  be  completed.  Also,  as  a part  of  finalizing  the 
plan,  the  Secretary  of  Commerce  should  direct  the  Director  of 
NIST  should  assess  whether  any  cybersecurity  challenges 
identified  in  this  report  should  be  addressed  in  the  guidelines. 

December  6,  4 The  Obama  Administration  released  a Memorandum  of 

2010  Understanding  signed  by  the  National  Institute  of  Standards  and 

Technology  (NIST)  of  the  Department  of  Commerce,  the 
Science  and  Technology  Directorate  of  the  Department  of 
Homeland  Security  (DHS/S&T),  and  the  Financial  Services  Sector 
Coordinating  Council  (FSSCC).  The  goal  of  the  agreement  is  to 
speed  the  commercialization  of  cybersecurity  research 
innovations  that  support  the  nation’s  critical  infrastructures. 

November  10,  The  Netherlands-based  International  Instrument  Users 

2010  Association  (WIB),  an  international  organization  that  represents 

global  manufacturers  in  the  industrial  automation  industry, 
announced  the  second  version  of  the  Process  Control  Domain 
Security  Requirements  For  Vendors  document — the  first 
international  standard  that  outlines  a set  of  specific 
requirements  focusing  on  cyber  security  best  practices  for 
suppliers  of  industrial  automation  and  control  systems. 
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Information  Security  Management  System  for  Microsoft 
Cloud  Infrastructure 

http://cdn.globalfoundationservices.com/documents/ 

lnformationSecurityMangSysforMSCIoudlnfrastructure.pdf 

Microsoft 

November  20 1 0 

15 

This  study  describes  the  standards  Microsoft  follows  to  address 
current  and  evolving  cloud  security  threats.  It  also  depicts  the 
internal  structures  within  Microsoft  that  handle  cloud  security  and 
risk  management  issues. 

NIST  Finalizes  Initial  Set  of  Smart  Grid  Cyber  Security 
Guidelines 

http://www.nist.gov/public_affairs/releases/nist-finalizes- 

initial-set-of-smart-grid-cyber-security-guidelines.cfm 

National  1 nstitute 
of  Standards  and 
Technology 
(NIST) 

September  2, 
2010 

N/A 

NIST  released  a 3-volume  set  of  recommendations  on  all  things 
relevant  to  securing  the  Smart  Grid.  The  guidelines  address  a 
variety  of  topics,  including:  high-level  security  requirements,  a 
risk  assessment  framework,  an  evaluation  of  privacy  issues  in 
residences  and  recommendations  for  protecting  the  evolving 
grid  from  attacks,  malicious  code,  cascading  errors  and  other 
threats. 

Critical  Infrastructure  Protection:  Key  Private  and  Public 
Cyber  Expectations  Need  to  Be  Consistently  Addressed 

http://www.gao.gov/products/GAO- 1 0-628 

General 
Accountability 
Office  (GAO) 

July  15,  2010 

38 

Private  sector  stakeholders  reported  that  they  expect  their 
federal  partners  to  provide  usable,  timely,  and  actionable  cyber 
threat  information  and  alerts;  access  to  sensitive  or  classified 
information;  a secure  mechanism  for  sharing  information; 
security  clearances;  and  a single  centralized  government 
cybersecurity  organization  to  coordinate  government  efforts. 
However,  according  to  private  sector  stakeholders,  federal 
partners  are  not  consistently  meeting  these  expectations. 

The  future  of  cloud  computing 

http://pewinternet.org/Reports/20 1 0/The-future-of-cloud- 
computing.aspx 

Pew  Research 
Center's  1 nternet 
& American  Life 
Project 

June  1 1,2010 

26 

Technology  experts  and  stakeholders  say  they  expect  they  will 
‘live  mostly  in  the  cloud’  in  2020  and  not  on  the  desktop, 
working  mostly  through  cyberspace-based  applications  accessed 
through  networked  devices. 

The  Reliability  of  Global  Undersea  Communications  Cable 
Infrastructure  (The  ROGUCCI  Report) 

http://www.ieee-rogucci.org/files/ 

The%20ROGUCCI%20Report.pdf 

1 EEE/EastWest 
1 nstitute 

May  26,  2010 

186 

This  Study  submits  twelve  major  Recommendations  to  the  private 
sector,  governments  and  other  stakeholders  - especially  the 
financial  sector  - for  the  purpose  of  improving  the  reliability, 
robustness,  resilience  and  security  of  the  world's  undersea 
communications  cable  infrastructure. 

NSTB  Assessments  Summary  Report:  Common  Industrial 
Control  System  Cyber  Security  Weaknesses 

http://www.fas.org/sgp/eprint/nstb.pdf 

Department  of 
Energy,  Idaho 
National 
Laboratory 

May  1,  2010 

123 

Computer  networks  controlling  the  electric  grid  are  plagued  with 
security  holes  that  could  allow  intruders  to  redirect  power  delivery 
and  steal  data.  Many  of  the  security  vulnerabilities  are  strikingly 
basic  and  fixable  problems. 

Explore  the  reliability  and  resiliency  of  commercial 
broadband  communications  networks 

http://hraunfoss.fcc.gov/edocs  public/attachmatch/DOC- 
3056l8Al.doc 

Federal 

Communications 
Commission  (FCC) 

April  21,  2010 

N/A 

The  Federal  Communications  Commission  launched  an  inquiry  on 
the  ability  of  existing  broadband  networks  to  withstand  significant 
damage  or  severe  overloads  as  a result  of  natural  disasters, 
terrorist  attacks,  pandemics  or  other  major  public  emergencies,  as 
recommended  in  the  National  Broadband  Plan. 
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Security  Guidance  for  Critical  Areas  of  Focus  in  Cloud 
Computing  V2. 1 

http://www.cloudsecurityalliance.org/csaguide.pdf 

Cloud  Security 
Alliance 

December  2009 

76 

“Through  our  focus  on  the  central  issues  of  cloud  computing 
security,  we  have  attempted  to  bring  greater  clarity  to  an 
otherwise  complicated  landscape,  which  is  often  filled  with 
incomplete  and  oversimplified  information.  Our  focus  ...  serves 
to  bring  context  and  specificity  to  the  cloud  computing  security 
discussion:  enabling  us  to  go  beyond  gross  generalizations  to 
deliver  more  insightful  and  targeted  recommendations.” 

21  Steps  to  Improve  Cyber  Security  of  SCADA  Networks 

http://www.oe.netl.doe.gov/docs/prepare/ 

2 1 stepsbooklet.pdf 

U.S.  Department 
of  Energy, 

1 nfrastructure 
Security  and 
Energy 
Restoration 

January  1 , 2007 

10 

The  President's  Critical  1 nfrastructure  Protection  Board  and  the 
Department  of  Energy  have  developed  steps  to  help  any 
organization  improve  the  security  of  its  SCADA  networks.  The 
steps  are  divided  into  two  categories:  specific  actions  to  improve 
implementation,  and  actions  to  establish  essential  underlying 
management  processes  and  policies. 

Note:  Highlights  compiled  by  CR.S  from  the  reports. 
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CRS  Reports:  Cybercrime  and  National  Security 

• CRS  Report  97-1025,  Cybercrime:  An  Overview  of  the  Federal  Computer  Fraud 
and  Abuse  Statute  and  Related  Federal  Criminal  Laws , by  Charles  Doyle 

• CRS  Report  94-166,  Extraterritorial  Application  of  American  Criminal  Law,  by 
Charles  Doyle 

• CRS  Report  98-326,  Privacy:  An  Overview  of  Federal  Statutes  Governing 
Wiretapping  and  Electronic  Eavesdropping,  by  Gina  Stevens  and  Charles  Doyle 

• CRS  Report  RL32706,  Spyware:  Background  and  Policy  Issues  for  Congress,  by 
Patricia  Moloney  Figliola 

• CRS  Report  CRS  Report  R41975,  Illegal  Internet  Streaming  of  Copyrighted 
Content:  Legislation  in  the  112lh  Congress,  by  Brian  T.  Yeh 

• CRS  Report  R42112,  Online  Copyright  Infringement  and  Counterfeiting: 
Legislation  in  the  112,h  Congress,  by  Brian  T.  Yeh 

• CRS  Report  R40599,  Identity  Theft:  Trends  and  Issues,  by  Kristin  M.  Finklea 

• CRS  Report  R41927,  The  Interplay  of  Borders,  Turf  Cyberspace,  and 
Jurisdiction:  Issues  Confronting  U.S.  Law  Enforcement,  by  Kristin  M.  Finklea 

• CRS  Report  RL3465 1 , Protection  of  Children  Online:  Federal  and  State  Laws 
Addressing  Cyberstalking,  Cyberharassment,  and  Cyberbullying,  by  Alison  M. 
Smith 


Congressional  Research  Service 


39 
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Table  18.  Selected  Reports:  Cybercrime/Cyberwar 

Title 

Source  Date  Pages 

Notes 

Developing  State  Solutions  to  Business  Identity  Theft: 
Assistance,  Prevention  and  Detection  Efforts  by  Secretary 
of  State  Offices 

http://www.nass.org/index.php?option=com_docman& 
task=doc_download&gid=  1 257 

National 
Association  of 
Secretaries  of 
State 

January  20 1 2 

23 

This  white  paper  is  the  result  of  efforts  by  the  1 9-member  NASS 
Business  Identity  Theft  Task  Force  to  develop  policy  guidelines 
and  recommendations  for  state  leaders  dealing  with  identity  fraud 
cases  involving  public  business  records. 

A Cyberworm  that  Knows  No  Boundaries 

http://www.rand.org/content/dam/rand/pubs/ 
occasional_papers/20 1 l/RAND_OP342.pdf 

RAND 

December 
21,  201  1 

55 

Stuxnet-like  worms  pose  a serious  threat  even  to  infrastructure 
and  computer  systems  that  are  not  connected  to  the  Internet. 
However,  defending  against  such  attacks  is  an  increasingly 
complex  prospect. 

Department  of  Defense  Cyberspace  Policy  Report : A 
Report  to  Congress  Pursuant  to  the  National  Defense 
Authorization  Act  for  Fiscal  Year  2011,  Section  934 

http://www.defense.gov/home/features/20 1 1 / 

041  l_cyberstrategy/docs/ 

NDAA%20Section%20934%20Report_For%20webpage.pdf 

DOD 

November 
15,  201  1 

14 

From  the  report:  “...  When  warranted,  we  will  respond  to  hostile 
attacks  in  cyberspace  as  we  would  to  any  other  threat  to  our 
country.  We  reserve  the  right  to  use  all  necessary  means  - 
diplomatic,  informational,  military  and  economic  - to  defend  our 
nation,  our  allies,  our  partners  and  our  interests.” 

W32.Duqu:  The  Precursor  to  the  Next  Stuxnet 

http://www.symantec.com/connect/ 
w32_duqu_precurso  r_n  ext_stuxn  et 

Symantec 

October  24, 
201  1 

N/A 

On  October  14,  201  1,  a research  lab  with  strong  international 
connections  alerted  Symantec  to  a sample  that  appeared  to  be 
very  similar  to  Stuxnet,  the  malware  which  wreaked  havoc  in 
Iran’s  nuclear  centrifuge  farms  last  summer.  The  lab  named  the 
threat  “Duqu”  because  it  creates  files  with  the  file  name  prefix 
“~DQ”.  The  research  lab  provided  Symantec  with  samples 
recovered  from  computer  systems  located  in  Europe,  as  well  as  a 
detailed  report  with  their  initial  findings,  including  analysis 
comparing  the  threat  to  Stuxnet. 

Cyber  War  Will  Not  Take  Place 
http://www.tandfonline.com/doi/abs/ 1 0. 1 080/ 

Journal  of 
Strategic  Studies 

October  5, 
201  1 

29 

The  paper  argues  that  cyber  warfare  has  never  taken  place,  is  not 
currently  taking  place,  and  is  unlikely  to  take  place  in  the  future. 

01402390.201  1.608939 
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Revealed:  Operation  Shady  RAT:  an  Investigation  Of 
Targeted  Intrusions  Into  70+  Global  Companies, 
Governments,  and  Non-Profit  Organizations  During  the 
Last  5 Years 

http://www.mcafee.com/us/resources/white-papers/wp- 

operation-shady-rat.pdf 

McAfee 

August  2, 
201  1 

14 

A cyber-espionage  operation  lasting  many  years  penetrated  72 
government  and  other  organizations,  most  of  them  in  the  US,  and 
has  copied  everything  from  military  secrets  to  industrial  designs, 
according  to  technology  security  company  McAfee.  See  page  4 for 
the  types  of  compromised  parties),  page  5 for  the  geographic 
distribution  of  victim’s  country  of  origin,  pages  7-9  for  the  types  of 
victims,  and  pages  10-13  for  the  number  of  intrusions  for  2007- 
20 1 0. 

A Four-Day  Dive  Into  Stuxnet’s  Heart 

http://www.wired.com/threatlevel/20 1 0/ 1 2/a-four-day- 
dive-into-stuxnets-heart/ 

Threat  Level 
Blog  (Wired) 

December 
27,  2010 

N/A 

From  the  article,  “It  is  a mark  of  the  extreme  oddity  of  the 
Stuxnet  computer  worm  that  Microsoft’s  Windows  vulnerability 
team  learned  of  it  first  from  an  obscure  Belarusian  security 
company  that  even  they  had  never  heard  of.” 

Did  Stuxnet  Take  Out  1,000  Centrifuges  at  the  Natanz 
Enrichment  Plant?  Preliminary  Assessment 

http://isis-online.org/isis-reports/detail/did-stuxnet-take- 
out-l  OOO-centrifuges-at-the-natanz-enrichment-plant/ 

Institute  for 
Science  and 
International 
Security 

December 
22,  2010 

10 

This  report  indicates  that  commands  in  the  Stuxnet  code  intended 
to  increase  the  frequency  of  devices  targeted  by  the  malware 
exactly  match  several  frequencies  at  which  rotors  in  centrifuges  at 
Iran’s  Natanz  enrichment  plant  are  designed  to  operate  optimally 
or  are  at  risk  of  breaking  down  and  flying  apart. 

The  Role  of  Internet  Service  Providers  in  Botnet 
Mitigation:  an  Empirical  Analysis  Bases  on  Spam  Data 

httpV/citeseerx.ist.psu.edu/viewdoc/download/doR 
1 0. 1 . 1 . 1 65.22 1 1 &rep=rep  1 &type=pdf 

Organisation  for 
Economic  Co- 
operation and 
Development 
(OECD) 

November 
12,  2010 

68 

This  working  paper  considers  whether  ISPs  can  be  critical  control 
points  for  botnet  mitigation,  how  the  number  of  infected  machines 
varies  across  ISPs  and  why. 

Stuxnet  Analysis 

http://www.enisa.europa.eu/media/press-releases/stuxnet- 

analysis 

European 
Network  and 
Information 
Security  Agency 

October  7, 
2010 

N/A 

EU  cybersecurity  agency  warns  that  the  Stuxnet  malware  is  a 
game  changer  for  critical  information  infrastructure  protection; 
PLC  controllers  of  SCADA  systems  infected  with  the  worm  might 
be  programmed  to  establish  destructive  over/under  pressure 
conditions  by  running  pumps  at  different  frequencies. 

Proceedings  of  a Workshop  on  Deterring  Cyberattacks: 
Informing  Strategies  and  Developing  Options  for  U.S. 
Policy 

http://www.nap.edu/catalog.php?record_id= 

1 2997#description 

National 

Research 

Council 

October  5, 
2010 

400 

At  the  request  of  the  Office  of  the  Director  of  National 
Intelligence,  the  National  Research  Council  undertook  a two- 
phase  project  aimed  to  foster  a broad,  multidisciplinary 
examination  of  strategies  for  deterring  cyberattacks  on  the  United 
States  and  of  the  possible  utility  of  these  strategies  for  the  U.S. 
government. 

Untangling  Attribution:  Moving  to  Accountability  in 
Cyberspace  [Testimony] 

http  ://i. cfr.org/content/publications/attachments/ 
Knake%20-T  estimony%2007 1 5 1 0.pdf 

Council  on 
Foreign  Relations 

July  15,  2010 

14 

Robert  K.  Knake’s  testimony  before  the  House  Committee  on 
Science  and  Technology  on  the  role  of  attack  attribution  in 
preventing  cyber  attacks  and  how  attribution  technologies  can 
affect  the  anonymity  and  the  privacy  of  Internet  users. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  1 9. Selected  Reports:  International  Efforts 


Title 

Source 

Date 

Pages 

Notes 

Cyber-security:  The  Vexed  Question  of  Global  Rules:  An 
Independent  Report  on  Cyber-Preparedness  Around  the 
World 

http://www.mcafee.com/us/resources/reports/rp-sda-cyber- 

security.pdf?cid=WBB048 

McAfee 

February  1 , 2012 

108 

Forty-five  percent  of  legislators  and  cybersecurity 
experts  representing  27  countries  think  cybersecurity  is 
just  as  important  as  border  security.  The  authors 
surveyed  80  professionals  from  business,  academia  and 
government  to  gauge  worldwide  opinions  of 
cybersecurity. 

Cyber  Power  Index 

http://www.cyberhub.com/CyberPowerlndex 

Booz  Allen  Hamilton 
and  the  Economist 
1 ntelligence  Unit 

January  15,  2012 

N/A 

The  index  of  developing  countries'  ability  to  withstand 
cyber  attacks  and  buiild  strong  digital  economies,  rates 
the  countries  on  their  legal  and  regulatory  frameworks: 
economic  and  social  issues:  technology  infrastructure; 
and  industry.  The  index  puts  the  U.S.  in  the  No.  2 spot, 
and  the  UK  in  No.  1. 

Foreign  Spies  Stealing  US  Economic  Secrets  in  Cyberspace 

http://www.ncix.gov/publications/reports/fecie_all/ 
Foreign_Economic_Collection_20 1 1 .pdf 

Office  of  the 
National 

Counterintelligence 

Executive 

November  3,  20 1 1 

31 

According  to  the  report,  espionage  and  theft  through 
cyberspace  are  growing  threats  to  the  United  States' 
security  and  economic  prosperity,  and  the  world’s 
most  persistent  perpetrators  happen  to  also  be  U.S. 
allies. 

The  UK  Cyber  Security  Strategy:  Protecting  and  promoting 
the  UK  in  a digital  world 

http://www.cabinetoffice.gov.uk/sites/default/files/resources/ 

uk-cyber-security-strategy-final.pdf 

Cabinet  Office 
(United  Kingdom) 

November  201  1 

43 

Chapter  1 describes  the  background  to  the  growth  of 
the  networked  world  and  the  immense  social  and 
economic  benefits  it  is  unlocking.  Chapter  2 describes 
these  threats.  The  impacts  are  already  being  felt  and 
will  grow  as  our  reliance  on  cyberspace  grows.  Chapter 
3 sets  out  where  we  want  to  end  up  - with  the 
Government’s  vision  for  UK  cyber  security  in  2015. 

Cyber  Dawn:  Libya 

http://www.unveillance.com/wp-content/uploads/20 1 1 / 05/ 
Project_Cyber_Dawn_Public.pdf 

Cyber  Security  Forum 
1 nitiative 

May  9,  2011 

70 

Project  Cyber  Dawn:  Libya  uses  open  source  material 
to  provide  an  in-depth  view  of  Libyan  cyberwarfare 
capabilities  and  defenses. 

China’s  Cyber  Power  and  America’s  National  Security 
http://www.dtic.mil/dtic/tr/fulltext/u2/a552990.pdf 

U.S.  Army  War 
College,  Strategy 
Research  Project 

March  24,  201  1 

86 

This  report  examines  the  growth  of  Chinese  cyber 
power;  their  known  and  demonstrated  capabilities  for 
offensive,  defensive  and  exploitive  computer  network 
operations;  China’s  national  security  objectives;  and 
the  possible  application  of  Chinese  cyber  power  in 
support  of  those  objectives. 

Worldwide  Threat  Assessment  of  the  U.S.  Intelligence 
Community  (Testimony) 

http://www.dni.gov/testimonies/ 

201  I02l0_testimony_clapper.pdf 

James  Clapper, 
Director  of  National 
Intelligence 

February  10,  201  1 

34 

Provides  an  assessment  of  global  threats:  convergence, 
malware,  the  "Chinese"  connection,  foreign  military 
capabilities  in  cyberspace,  counterfeit  computer 
hardware  and  intellectual  property  theft,  and  identity 
theft/finding  vulnerable  government  operatives. 

CRS-42 


Cybersecurity:  Authoritative  Reports  and  Resources 


Title 

Source 

Date 

Pages 

Notes 

Working  Towards  Rules  for  Governing  Cyber  Conflict: 
Rendering  the  Geneva  and  Hague  Conventions  in 
Cyberspace 

http://vialardi.org/nastrazzuro/pdf/US-Russia.pdf 

EastWest  1 nstitute 

February  3,  20 1 1 

60 

[The  authors]  led  the  cyber  and  traditional  security 
experts  through  a point-by-point  analysis  of  the  Geneva 
and  Hague  Conventions.  Ultimately,  the  group  made 
five  immediate  recommendations  for  Russian  and  U.S.- 
led  joint  assessments,  each  exploring  how  to  apply  a 
key  convention  principle  to  cyberspace. 

The  Reliability  of  Global  Undersea  Communications  Cable 
Infrastructure  (The  Rogucci  Report) 

http://www.ieee-rogucci.org/files/ 

The%20ROGUCCI%20Report.pdf 

1 EEE/ EastWest 
1 nstitute 

May  26,  2010 

186 

This  Study  submits  twelve  major  recommendations  to 
the  private  sector,  governments  and  other 
stakeholders  - especially  the  financial  sector  - for  the 
purpose  of  improving  the  reliability,  robustness, 
resilience  and  security  of  the  world’s  undersea 
communications  cable  infrastructure. 

ITU  Toolkit  for  Cybercrime  Legislation 

http://www.itu.int/ITU-D/cyb/cybersecurity/docs/ 

itu-toolkit-cybercrime-legislation.pdf 

1 nternational 

Telecommunications 

Union 

February  20 1 0 

N/A 

This  document  aims  to  provide  countries  with  sample 
legislative  language  and  reference  material  that  can 
assist  in  the  establishment  of  harmonized  cybercrime 
laws  and  procedural  rules. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  20.  Selected  Reports:  Education/Training/Workforce 

Title  Source  Date  Pages  Notes 


General  November  29, 20 1 I 86 

Accountability 


Cybersecurity  Human  Capital:  Initiatives  Need  Better 
Planning  and  Coordination 

http://www.gao.gov/products/GAO- 1 2-8 


NICE  Cybersecurity  Workforce  Framework 

http://www.nist.gov/manuscript-publication-search.cfm? 

pub_id=909505 


201  I State  of  Cyberethics,  Cybersafety  and  Cybersecurity 
Curriculum  in  the  U.S.  Survey 

http://www.staysafeonline.org/sites/default/files/ 
resource_documents/20 1 I %20National%20K- 
1 2%20Study%20Final_0.pdf 


Office  (GAO) 


National  I nitiative  November  2 1 , 20 1 I 35 
for  Cybersecurity 
Education  (NICE) 


National  Cyber  May  13,  201  I 16 

Security  Alliance 
and  Microsoft 


To  ensure  that  government-wide  cybersecurity 
workforce  initiatives  are  better  coordinated  and  planned, 
and  to  better  assist  federal  agencies  in  defining  roles, 
responsibilities,  skills,  and  competencies  for  their 
workforce,  the  Secretary  of  Commerce,  Director  of  the 
Office  of  Management  and  Budget,  Director  of  the  Office 
of  Personnel  Management,  and  Secretary  of  Homeland 
Security  should  collaborate  through  the  NICE  initiative  to 
develop  and  finalize  detailed  plans  allowing  agency 
accountability,  measurement  of  progress,  and 
determination  of  resources  to  accomplish  agreed-upon 
activities. 

The  adoption  of  cloud  computing  into  the  Federal 
Government  and  its  implementation  depend  upon  a 
variety  of  technical  and  non-technical  factors.  A 
fundamental  reference  point,  based  on  the  NIST 
definition  of  cloud  computing,  is  needed  to  describe  an 
overall  framework  that  can  be  used  government-wide. 
This  document  presents  the  NIST  Cloud  Computing 
Reference  Architecture  (RA)  and  Taxonomy  (Tax)  that 
will  accurately  communicate  the  components  and 
offerings  of  cloud  computing. 

This  year’s  survey  further  explores  the  perceptions  and 
practices  of  U.S.  teachers,  school  administrators  and 
technology  coordinators  in  regards  to  cyberethics, 
cybersafety  and  cybersecurity  education.  This  year's 
survey  finds  that  young  people  still  are  not  receiving 
adequate  training  and  that  teachers  are  ill-prepared  to 
teach  the  subjects  due,  in  large  part,  to  lack  of 
professional  development. 
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Title 


Source 


Cyber  Operations  Personnel  Report  (DoD) 

http://www.nsci-va.org/CyberReferenceLib/20 1 I -04- 
Cyber%200ps%20Personnel.pdf 


Department  of 
Defense 


Design  of  the  DETER  Security  Testbed 
http://www.isi.edu/deter/news/news.php?story=20 


University  of 
Southern  California 
( USC)  I nformation 
Sciences  I nstitute. 
University  of 
California  Berkeley 
(UCB),  McAfee 
Research 


The  Power  of  People:  Building  an  Integrated  National  Project  on  National 

Security  Professional  System  for  the  21st  Century  Security  Reform 

(PNSR) 

http://www.pnsr.org/data/images/ 
p n s r_th  e_po  we  r_of_p  eo  p I e_repo  rt.  pdf 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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April  2011  84  This  report  is  focused  on  FY09  Department  of  Defense 

Cyber  Operations  personnel,  with  duties  and 
responsibilities  as  defined  in  Section  934  of  the  Fiscal 
Year  (FY)  2010  National  Defense  Authorization  Act 
(NDAA). 

Appendix  A - Cyber  Operations-related  Military 
Occupations 

Appendix  B - Commercial  Certifications  Supporting  the 
DoD  Information  Assurance  Workforce  Improvement 
Program 

Appendix  C - Military  Services  Training  and 
Development 

Appendix  D - Geographic  Location  of  National  Centers 
of  Academic  Excellence  in  Information  Assurance 

January  13,  201  I N/A  The  Department  of  Homeland  Security  (DHS)  will  invest 

1 6 million  over  the  next  five  years  to  expand  a 
cybersecurity  testbed  at  the  University  of  Southern 
California  (USC).  The  Deterlab  testbed  provides  an 
isolated  400-node  mini-Internet,  in  which  researchers  can 
investigate  malware  and  other  security  threats  without 
danger  of  infecting  the  real  Internet.  It  also  supports 
classroom  exercises  in  computer  security  for  nearly  400 
students  at  10  universities  and  colleges. 

November  20 1 0 326  This  study  was  conducted  in  fulfillment  of  Section  1054  of 

the  National  Defense  Authorization  Act  for  Fiscal  Year  2010, 
which  required  the  commissioning  of  a study  by  "an 
appropriate  independent,  nonprofit  organization,  of  a 
system  for  career  development  and  management  of 
interagency  national  security  professionals." 
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Table  2 1 . Selected  Reports:  Research  & Development  (R&D) 


Title 

Source 

Date 

Pages 

Notes 

Information  Security  Risk  Taking 

http://www.nsf.gov/awardsearch/showAward.do? 
AwardNumber=  1 127185 

National 

Science 

Foundation 

(NSF) 

January  17,  2012 

N/A 

The  NSF  is  fundingresearch  on  giving  organizations 
information-security  risk  ratings,  similar  to  credit  ratings  for 
individuals 

At  the  Forefront  of  Cyber  Security  Research 

http://www.livescience.com/ 1 5423-forefront-cyber- 
security-research-nsf-bts.html 

NSF 

August  1 1 , 20 1 1 

N/A 

TRUST  is  a university  and  industry  consortium  that 
examines  cyber  security  issues  related  to  health  care, 
national  infrastructures,  law  and  other  issues  facing  the 
general  public. 

Designing  A Digital  Future:  Federally  Funded  Research  And 
Development  In  Networking  And  Information  Technology 

http://www.whitehouse.gov/sites/default/files/microsites/ 
ostp/pcast-nitrd-report-20 1 0.pdf 

White  House 

December  16,  2010 

148 

The  President’s  Council  of  Advisors  on  Science  and 
Technology  (PCAST)  has  made  several  recommendations 
in  a report  about  the  state  of  the  government’s 
Networking  and  Information  Technology  Research  and 
Development  (NITRD)  Program. 

Partnership  for  Cybersecurity  Innovation 

http://www.whitehouse.gov/blog/20 1 0/ 1 2/06/partnership- 
cybersecurity-innovation 

White  House 
Office  of 
Science  and 
Technology 
Policy 

December  6,  20 1 0 

10 

The  Obama  Administration  released  a Memorandum  of 
Understanding  signed  by  the  National  Institute  of 
Standards  and  Technology  (NIST)  of  the  Department  of 
Commerce,  the  Science  and  Technology  Directorate  of 
the  Department  of  Homeland  Security  (DHS/S&T),  and 
the  Financial  Services  Sector  Coordinating  Council 
(FSSCC).  The  goal  of  the  agreement  is  to  speed  the 
commercialization  of  cybersecurity  research  innovations 
that  support  our  nation’s  critical  infrastructures. 

Science  of  Cyber-Security 

http://www.fas.org/irp/agency/dod/jason/cyber.pdf 

Mitre  Corp 
(JASON  Program 
Office) 

November  20 1 0 

86 

J ASON  was  requested  by  DoD  to  examine  the  theory  and 
practice  of  cyber- security,  and  evaluate  whether  there  are 
underlying  fundamental  principles  that  would  make  it 
possible  to  adopt  a more  scientific  approach,  identify  what 
is  needed  in  creating  a science  of  cyber- security,  and 
recommend  specific  ways  in  which  scientific  methods  can 
be  applied. 

American  Security  Challenge 
http://www.americansecuritychallenge.com/ 

National  Security 
1 nitiative 

October  18,  2010 

N/A 

The  objective  of  the  Challenge  is  to  increase  the  visibility 
of  innovative  technology  and  help  the  commercialization 
process  so  that  such  technology  can  reach  either  the 
public  or  commercial  marketplace  faster  to  protect  our 
citizens  and  critical  assets. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Related  Resources:  Other  Websites 

This  section  contains  other  cybersecurity  resources,  including  U.S.  government,  international,  news  sources,  and  other  associations  and 
institutions. 


Table  22.  Related  Resources:  Congressional/Government 

Name  Source  Notes 


Congressional  Cybersecurity  Caucus 

http://housecybersecuritycaucus.langevin.house.gov/index.shtml 
Cybersecurity  and  Trustworthiness  Projects  and  Reports 
http://sites.nationalacademies.org/CSTB/CSTB_059 144 

Cybersecurity,  at:  http://www.whitehouse.gov/cybersecurity 

Office  of  Cybersecurity  and  Communications  (CS&C) 
http://www.dhs.gov/xabout/structure/gc_l  1 85202475883. shtm 

U.S.  Cyber  Command 

http://www.defense.gov/home/features/20 1 0/04 1 0_cybersec/ 

U.S.  Cyber-Consequences  Unit 

http://www.usccu.us/ 


Note:  Highlights  compiled  by  CRS  from  the  reports. 


Led  by  Representatives  Jim  Langevin.,  Provides  statistics,  news  on  congressional  cyberspace  actions, 
and  Mike  McCaul.  and  links  to  other  informational  websites. 


Computer  Science  and 
Telecommunications  Board,  National 
Academy  of  Sciences 

White  House  National  Security 
Council 


A list  of  independent  and  informed  reports  on  cybersecurity 
and  public  policy. 


Links  to  White  House  policy  statements,  key  documents, 
videos,  and  blog  posts. 


U.S.  Department  of  Homeland  Security  As  the  sector-specific  agency  for  the  communications  and 

information  technology  (IT)  sectors,  CS&C  coordinates 
national  level  reporting  that  is  consistent  with  the  National 
Response  Framework  (NRF). 


U.S.  Department  of  Defense 


Links  to  press  releases,  fact  sheets,  speeches,  announcements, 
and  videos. 


U.S.  Cyber-Consequences  Unit  (US-  U.S.-CCU,  a non-profit  50 1 c(3)  research  institute,  provides 
CCU)  assessments  of  the  strategic  and  economic  consequences  of 

possible  cyber-attacks  and  cyber-assisted  physical  attacks.  It 
also  investigates  the  likelihood  of  such  attacks  and  examines 
the  cost-effectiveness  of  possible  counter-measures. 
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Table  23.  Related  Resources:  International  Organizations 

Name 

Source 

Notes 

Australian  1 nternet  Security  1 nitiative 

http://www.acma.gov.au/WEB/STANDARD/pc=PC_3  10317 

Australian  Communications  and  Media 
Authority 

The  Australian  Internet  Security  Initiative  (AISI)  isan  antibotnet 
initiative  that  collects  data  on  botnets  in  collaboration  with 
Internet  Service  Providers  (ISPs),  and  two  industry  codes  of 
practice. 

Cybercrime 

http://www.coe.int/t/DGHL/cooperation/economiccrime/ 

cybercrime/default_en.asp 

Council  of  Europe 

Links  to  the  Convention  on  Cybercrime  treaty,  standards, 
news,  and  related  information. 

Cybersecurity  Gateway 

http://groups.itu. int/Default.aspx?alias=groups.itu.int/ 
cybersecurity-gateway 

International  Telecommunications  Union 
(ITU) 

ITU's  Global  Cybersecurity  Agenda  (GCA)  is  the  framework 
for  international  cooperation  with  the  objective  of  building 
synergies  and  engaging  all  relevant  stakeholders  in  our 
collective  efforts  to  build  a more  secure  and  safer  information 
society  for  all. 

Cybercrime  Legislation  - Country  Profiles 

http://www.coe.int/tAdg  1 /legalcooperation/economiccrime/ 
cybercrime/Documents/CountryProfiles/default_en.asp 

Council  of  Europe 

These  profiles  have  been  prepared  within  the  framework  of  the 
Council  of  Europe’s  Project  on  Cybercrime  in  view  of  sharing 
information  on  cybercrime  legislation  and  assessing  the  current 
state  of  implementation  of  the  Convention  on  Cybercrime 
under  national  legislation. 

ENISA:  Securing  Europe’s  Information  Society 
http://www.enisa.europa.eu/ 

European  Network  and  1 nformation  Security 
Agency  (ENI SA) 

ENISA  inform  businesses  and  citizens  in  the  European  Union  on 
cybersecurity  threats,  vulnerabilities  and  attacks.  (Requires  free 
registration  to  access). 

German  Anti-Botnet  Initiative 
http://www.oecd.org/dataoecd/42/50/45509383.pdf 

Organisation  for  Economic  Co-operation  and 
Development  (OECD)  (English-language 
summary) 

This  is  a private  industry  initiative  which  aims  to  ensure  that 
customers  whose  personal  computers  have  become  part  of  a 
botnet  without  them  being  aware  of  it  are  informed  by  their 
Internet  Service  Providers  about  this  situation  and  at  the  same 
time  are  given  competent  support  in  removing  the  malware. 

International  Cyber  Security  Protection  Alliance  (ICSPA) 
https://www.icspa.org/about-us/ 

International  Cyber  Security  Protection 
Alliance  (ICSPA) 

A global  not-for-profit  organization  that  aims  to  channel 
funding,  expertise,  and  help  directly  to  law  enforcement  cyber 
crime  units  around  the  world. 

NATO  Cooperative  Cyber  Defence  Centre  of  Excellence 
(CCD  COE) 

http://www.ccdcoe.org/ 

North  Atlantic  Treaty  Organization 
(NATO) 

The  Center  is  an  international  effort  that  currently  includes 
Estonia,  Latvia,  Lithuania,  Germany,  Hungary,  Italy,  the  Slovak 
Republic,  and  Spain  as  sponsoring  nations,  to  enhance  NATO’s 
cyber  defence  capability. 

Note:  Highlights  compiled  by  CRS  from  the  reports. 
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Table  24.  Related  Resources:  News 


Name 


Source 


Computer  Security  (Cybersecurity) 

http://topics.nytimes.eom/top/reference/timestopics/subjects/c/ 

computer_security/index.html 

Cybersecurity 

http://topics.nextgov.com/cybersecurity 
Cyberwarfare  and  Cybersecurity 
http://benton.org/taxonomy/term/ 1 1 93 
Homeland  Security 

http://homeland.cq.com/hs/news.do;jsessionid= 
20B0A2F676BA73C 1 3DDC30A877479F46 

Cybersecurity 

http://www.homelandsecuritynewswire.com/topics/cybersecurity 


New  York  Times 


NextGov.com 


Benton  Foundation 


Congressional  Quarterly  (CQ) 


Homeland  Security  News  Wire 
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Table  25.  Related  Resources:  Other  Associations  and  Institutions 


Name  Notes 


Cybersecurity  from  the  Center  for  Strategic  & 
International  Studies  (CSIS) 

http://csis.org/category/topics/technology/ 

cybersecurity 

Cyberconflict  and  Cybersecurity  Initiative  from  the 
Council  on  Foreign  Relations 

http://www.cfr.org/projects/world/cyberconflict-and- 
cybersecurity-initiative/pr  1 497 

Federal  Cyber  Service  from  the  Scholarship  For  Service 
(SFS) 

https://www.sfs.opm.gov/ 

Institute  for  Information  Infrastructure  Protection 
(I3P) 

http://www.thei3p.org/ 

Internet  Security  Alliance  (ISA) 

https://netforum.avectra.com/eWeb/StartPage.aspx? 

Site=ISA 

National  Association  of  State  Chief  Information 
Offices  (NASCIO) 

http://www.nascio.org/advocacy/cybersecurity 

National  Board  of  Information  Security  Examiners 
(NBISE) 

http://www.nbise.org/certifications.php 

National  Initiative  for  Cybersecurity  Education  (NICE) 
http://cs  rc.  n ist.go  v/n  ice/ 

National  Security  Cyberspace  Institute  (NSCI) 
http://www.nsci-va.org/whitepapers.htm 

U.S.  Cyber  Challenge  (USCC) 
http://www.uscyberchallenge.org/ 


Links  to  experts,  programs,  publications,  and  multimedia. 
CSIS  is  a bipartisan,  nonprofit  organization  whose  affiliated 
scholars  conduct  research  and  analysis  and  develop  policy 
initiatives  that  look  to  the  future  and  anticipate  change. 

Focuses  on  the  relationship  between  cyberwar  and  the 
existing  laws  of  war  and  conflict;  how  the  United  States 
should  engage  other  states  and  international  actors  in 
pursuit  of  its  interests  in  cyberspace;  how  the  promotion  of 
the  free  flow  of  information  interacts  with  the  pursuit  of 
cybersecurity;  and  the  private  sector’s  role  in  defense, 
deterrence,  and  resilience. 

Scholarship  For  Service  (SFS)  is  designed  to  increase  and 
strengthen  the  cadre  of  federal  information  assurance 
professionals  that  protect  the  government’s  critical 
information  infrastructure.  This  program  provides 
scholarships  that  fully  fund  the  typical  costs  that  students 
pay  for  books,  tuition,  and  room  and  board  while 
attending  an  approved  institution  of  higher  learning. 

I3P  is  a consortium  of  leading  universities,  national 
laboratories  and  nonprofit  institutions  dedicated  to 
strengthening  the  cyber  infrastructure  of  the  United  States. 

ISAalliance  is  a non-profit  collaboration  between  the 
Electronic  Industries  Alliance  (EIA),  a federation  of  trade 
associations,  and  Carnegie  Mellon  University’s  CyLab. 

NASCIO’s  cybersecurity  awareness  website.  The  Resource 
Guide  provides  examples  of  state  awareness  programs  and 
initiatives. 

The  National  Board  of  Information  Security  Examiners 
(NBISE)  mission  is  to  increase  the  security  of  information 
networks,  computing  systems,  and  industrial  and  military 
technology  by  improving  the  potential  and  performance  of 
the  cyber  security  workforce. 

NICE  Attempts  to  forge  a common  set  of  definitions  for  the 
cybersecurity  workforce. 

NSCI  provides  education,  research  and  analysis  services  to 
government,  industry,  and  academic  clients  aiming  to 
increase  cyberspace  awareness,  interest,  knowledge,  and/or 
capabilities. 

USCC’s  goal  is  to  find  10,000  of  America's  best  and 
brightest  to  fill  the  ranks  of  cybersecurity  professionals 
where  their  skills  can  be  of  the  greatest  value  to  the  nation. 


Source:  Highlights  compiled  by  CRS  from  the  reports  of  related  associations  and  institutions. 
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Author  Contact  Information 


Rita  Tehan 

Information  Research  Specialist 
rtehan@crs.loc.gov,  7-6739 


Key  Policy  Staff 


Area  of  Expertise 

Name 

Phone 

E-mail 

General  Policy  Issues 

Eric  A.  Fischer 

7-7071 

efischer@crs.loc.gov 

General  Policy  Issues 

John  Rollins 

7-5529 

jrollins@crs.loc.gov 

Critical  Infrastructure 

John  D.  Moteff 

7-1435 

jmoteff@crs.loc.gov 

Critical  Infrastructure 

Richard  J.  Campbell 

7-7905 

rcampbell@crs.loc.gov 

Critical  Infrastructure 

Patricia  Maloney  Figliola 

7-2508 

pfigliola@crs.loc.gov 

Critical  Infrastructure 

Lennard  Kruger 

7-7070 

lkruger@crs.loc.gov 

Cybercrime 

Charles  Doyle 

7-6968 

cdoyle@crs.loc.gov 

Cybercrime 

Brian  Yeh 

7-5182 

byeh@crs.loc.gov 

Cybercrime 

Kristin  Finklea 

7-6259 

kfinklea@crs.loc.gov 

Cybercrime 

Gina  Stevens 

7-2581 

gstevens@crs.loc.gov 

National  Security 

John  Rollins 

7-5529 

jrollins@crs.loc.gov 

National  Security 

Catherine  A.  Theohary 

7-0844 

ctheohary@crs.loc.gov, 

National  Security 

Paul  Kerr 

7-8693 

pkerr@crs.loc.gov 
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